Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

114 lines
2.7KB

  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. ipset:
  5. manage: True
  6. pkg: ipset
  7. installbackend: True
  8. backendpackage: nftables
  9. default_zone: public
  10. services:
  11. sshcustom:
  12. short: sshcustom
  13. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  14. ports:
  15. tcp:
  16. - 3232
  17. - 5252
  18. modules:
  19. - some_module_to_load
  20. destinations:
  21. ipv4:
  22. - 224.0.0.251
  23. - 224.0.0.252
  24. ipv6:
  25. - ff02::fb
  26. - ff02::fc
  27. zabbixcustom:
  28. short: Zabbixcustom
  29. description: "zabbix custom rule"
  30. ports:
  31. tcp:
  32. - "10051"
  33. salt-minion:
  34. short: salt-minion
  35. description: "salt-minion"
  36. ports:
  37. tcp:
  38. - "8000"
  39. ipsets:
  40. fail2ban-ssh:
  41. short: fail2ban-ssh
  42. description: fail2ban-ssh ipset
  43. type: 'hash:ip'
  44. options:
  45. maxelem:
  46. - 65536
  47. timeout:
  48. - 300
  49. hashsize:
  50. - 1024
  51. entries:
  52. - 10.0.0.1
  53. zones:
  54. public:
  55. short: Public
  56. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  57. services:
  58. - http
  59. - zabbixcustom
  60. - https
  61. - ssh
  62. - salt-minion
  63. rich_rules:
  64. - family: ipv4
  65. source:
  66. address: 8.8.8.8/24
  67. accept: true
  68. - family: ipv4
  69. ipset:
  70. name: fail2ban-ssh
  71. reject:
  72. type: icmp-port-unreachable
  73. ports:
  74. {% if grains['id'] == 'salt.example.com' %}
  75. - comment: salt-master
  76. port: 4505
  77. protocol: tcp
  78. - comment: salt-python
  79. port: 4506
  80. protocol: tcp
  81. {% endif %}
  82. - comment: zabbix-agent
  83. port: 10050
  84. protocol: tcp
  85. - comment: bacula-client
  86. port: 9102
  87. protocol: tcp
  88. - comment: vsftpd
  89. port: 21
  90. protocol: tcp
  91. direct:
  92. chain:
  93. MYCHAIN:
  94. ipv: ipv4
  95. table: raw
  96. rule:
  97. INTERNETACCESS:
  98. ipv: ipv4
  99. table: filter
  100. chain: FORWARD
  101. priority: "0"
  102. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  103. passthrough:
  104. MYPASSTHROUGH:
  105. ipv: ipv4
  106. args: "-t raw -A MYCHAIN -j DROP"