Saltstack Official FirewallD Formula
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.

157 lines
3.8KB

  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. IndividualCalls: 'no'
  5. LogDenied: 'off'
  6. AutomaticHelpers: 'system'
  7. FirewallBackend: 'nftables'
  8. FlushAllOnReload: 'yes'
  9. RFC3964_IPv4: 'yes'
  10. ipset:
  11. manage: True
  12. pkg: ipset
  13. # ipset: # Deprecated. Support for this format will be removed in future releases
  14. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  15. backend:
  16. manage: True
  17. pkg: nftables
  18. # installbackend: True # Deprecated. Will be removed in future releases
  19. # backendpackage: nftables # Deprecated. Will be removed in future releases
  20. default_zone: public
  21. services:
  22. sshcustom:
  23. short: sshcustom
  24. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  25. ports:
  26. tcp:
  27. - 3232
  28. - 5252
  29. modules:
  30. - some_module_to_load
  31. protocols:
  32. - igmp
  33. source_ports:
  34. tcp:
  35. - 21
  36. destinations:
  37. ipv4:
  38. - 224.0.0.251
  39. - 224.0.0.252
  40. ipv6:
  41. - ff02::fb
  42. - ff02::fc
  43. zabbixcustom:
  44. short: Zabbixcustom
  45. description: "zabbix custom rule"
  46. ports:
  47. tcp:
  48. - "10051"
  49. salt-minion:
  50. short: salt-minion
  51. description: "salt-minion"
  52. ports:
  53. tcp:
  54. - "8000"
  55. ipsets:
  56. fail2ban-ssh:
  57. short: fail2ban-ssh
  58. description: fail2ban-ssh ipset
  59. type: 'hash:ip'
  60. options:
  61. maxelem:
  62. - 65536
  63. timeout:
  64. - 300
  65. hashsize:
  66. - 1024
  67. entries:
  68. - 10.0.0.1
  69. fail2ban-ssh-ipv6:
  70. short: fail2ban-ssh-ipv6
  71. description: fail2ban-ssh-ipv6 ipset
  72. type: 'hash:ip'
  73. options:
  74. family:
  75. - inet6
  76. maxelem:
  77. - 65536
  78. timeout:
  79. - 300
  80. hashsize:
  81. - 1024
  82. entries:
  83. - 2a01::1
  84. zones:
  85. public:
  86. short: Public
  87. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  88. services:
  89. - http
  90. - zabbixcustom
  91. - https
  92. - ssh
  93. - salt-minion
  94. protocols:
  95. - igmp
  96. rich_rules:
  97. - family: ipv4
  98. source:
  99. address: 8.8.8.8/24
  100. accept: true
  101. - family: ipv4
  102. ipset:
  103. name: fail2ban-ssh
  104. reject:
  105. type: icmp-port-unreachable
  106. ports:
  107. {% if grains['id'] == 'salt.example.com' %}
  108. - comment: salt-master
  109. port: 4505
  110. protocol: tcp
  111. - comment: salt-python
  112. port: 4506
  113. protocol: tcp
  114. {% endif %}
  115. - comment: zabbix-agent
  116. port: 10050
  117. protocol: tcp
  118. - comment: bacula-client
  119. port: 9102
  120. protocol: tcp
  121. - comment: vsftpd
  122. port: 21
  123. protocol: tcp
  124. source_ports:
  125. - comment: something
  126. port: 2222
  127. protocol: tcp
  128. - comment: something_else
  129. port: 4444
  130. protocol: tcp
  131. direct:
  132. chain:
  133. MYCHAIN:
  134. ipv: ipv4
  135. table: raw
  136. rule:
  137. INTERNETACCESS:
  138. ipv: ipv4
  139. table: filter
  140. chain: FORWARD
  141. priority: "0"
  142. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  143. passthrough:
  144. MYPASSTHROUGH:
  145. ipv: ipv4
  146. args: "-t raw -A MYCHAIN -j DROP"