Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

110 lines
2.6KB

  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. ipset: True
  5. default_zone: public
  6. services:
  7. sshcustom:
  8. short: sshcustom
  9. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  10. ports:
  11. tcp:
  12. - 3232
  13. - 5252
  14. modules:
  15. - some_module_to_load
  16. destinations:
  17. ipv4:
  18. - 224.0.0.251
  19. - 224.0.0.252
  20. ipv6:
  21. - ff02::fb
  22. - ff02::fc
  23. zabbixcustom:
  24. short: Zabbixcustom
  25. description: "zabbix custom rule"
  26. ports:
  27. tcp:
  28. - "10051"
  29. salt-minion:
  30. short: salt-minion
  31. description: "salt-minion"
  32. ports:
  33. tcp:
  34. - "8000"
  35. ipsets:
  36. fail2ban-ssh:
  37. short: fail2ban-ssh
  38. description: fail2ban-ssh ipset
  39. type: 'hash:ip'
  40. options:
  41. maxelem:
  42. - 65536
  43. timeout:
  44. - 300
  45. hashsize:
  46. - 1024
  47. entries:
  48. - 10.0.0.1
  49. zones:
  50. public:
  51. short: Public
  52. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  53. services:
  54. - http
  55. - zabbixcustom
  56. - https
  57. - ssh
  58. - salt-minion
  59. rich_rules:
  60. - family: ipv4
  61. source:
  62. address: 8.8.8.8/24
  63. accept: true
  64. - family: ipv4
  65. ipset:
  66. name: fail2ban-ssh
  67. reject:
  68. type: icmp-port-unreachable
  69. ports:
  70. {% if grains['id'] == 'salt.example.com' %}
  71. - comment: salt-master
  72. port: 4505
  73. protocol: tcp
  74. - comment: salt-python
  75. port: 4506
  76. protocol: tcp
  77. {% endif %}
  78. - comment: zabbix-agent
  79. port: 10050
  80. protocol: tcp
  81. - comment: bacula-client
  82. port: 9102
  83. protocol: tcp
  84. - comment: vsftpd
  85. port: 21
  86. protocol: tcp
  87. direct:
  88. chain:
  89. MYCHAIN:
  90. ipv: ipv4
  91. table: raw
  92. rule:
  93. INTERNETACCESS:
  94. ipv: ipv4
  95. table: filter
  96. chain: FORWARD
  97. priority: "0"
  98. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  99. passthrough:
  100. MYPASSTHROUGH:
  101. ipv: ipv4
  102. args: "-t raw -A MYCHAIN -j DROP"