Saltstack Official FirewallD Formula
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.

168 lines
3.7KB

  1. # yamllint disable rule:indentation rule:line-length
  2. # Amazon Linux AMI-2018
  3. ---
  4. values:
  5. AllowZoneDrifting: 'no'
  6. AutomaticHelpers: system
  7. FirewallBackend: nftables
  8. FlushAllOnReload: 'yes'
  9. IndividualCalls: 'no'
  10. LogDenied: 'off'
  11. RFC3964_IPv4: 'yes'
  12. arch: amd64
  13. backend:
  14. manage: true
  15. pkg: nftables
  16. config: /etc/firewalld.conf
  17. default_zone: public
  18. direct:
  19. chain:
  20. MYCHAIN:
  21. ipv: ipv4
  22. table: raw
  23. passthrough:
  24. MYPASSTHROUGH:
  25. args: -t raw -A MYCHAIN -j DROP
  26. ipv: ipv4
  27. rule:
  28. INTERNETACCESS:
  29. args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
  30. -j ACCEPT
  31. chain: FORWARD
  32. ipv: ipv4
  33. priority: '0'
  34. table: filter
  35. enabled: true
  36. ipset:
  37. manage: true
  38. pkg: ipset
  39. ipsets:
  40. fail2ban-ssh:
  41. description: fail2ban-ssh ipset
  42. entries:
  43. - 10.0.0.1
  44. options:
  45. hashsize:
  46. - 1024
  47. maxelem:
  48. - 65536
  49. timeout:
  50. - 300
  51. short: fail2ban-ssh
  52. type: hash:ip
  53. fail2ban-ssh-ipv6:
  54. description: fail2ban-ssh-ipv6 ipset
  55. entries:
  56. - 2a01::1
  57. options:
  58. family:
  59. - inet6
  60. hashsize:
  61. - 1024
  62. maxelem:
  63. - 65536
  64. timeout:
  65. - 300
  66. short: fail2ban-ssh-ipv6
  67. type: hash:ip
  68. package: firewalld
  69. service: firewalld
  70. services:
  71. salt-minion:
  72. description: salt-minion
  73. ports:
  74. tcp:
  75. - '8000'
  76. short: salt-minion
  77. sshcustom:
  78. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
  79. logging into and executing commands on remote machines. It provides secure
  80. encrypted communications. If you plan on accessing your machine remotely
  81. via SSH over a firewalled interface, enable this option. You need the openssh-server
  82. package installed for this option to be useful.
  83. destinations:
  84. ipv4:
  85. - 224.0.0.251
  86. - 224.0.0.252
  87. ipv6:
  88. - ff02::fb
  89. - ff02::fc
  90. modules:
  91. - some_module_to_load
  92. ports:
  93. tcp:
  94. - 3232
  95. - 5252
  96. protocols:
  97. - igmp
  98. short: sshcustom
  99. source_ports:
  100. tcp:
  101. - 21
  102. zabbixcustom:
  103. description: zabbix custom rule
  104. ports:
  105. tcp:
  106. - '10051'
  107. short: Zabbixcustom
  108. zones:
  109. public:
  110. description: For use in public areas. You do not trust the other computers
  111. on networks to not harm your computer. Only selected incoming connections
  112. are accepted.
  113. other_services:
  114. - zabbixcustom
  115. ports:
  116. - comment: zabbix-agent
  117. port: 10050
  118. protocol: tcp
  119. - comment: bacula-client
  120. port: 9102
  121. protocol: tcp
  122. - comment: vsftpd
  123. port: 21
  124. protocol: tcp
  125. protocols:
  126. - igmp
  127. rich_rules:
  128. - accept: true
  129. family: ipv4
  130. source:
  131. address: 8.8.8.8/24
  132. - family: ipv4
  133. ipset:
  134. name: fail2ban-ssh
  135. reject:
  136. type: icmp-port-unreachable
  137. services:
  138. - http
  139. - https
  140. - ssh
  141. - salt-minion
  142. short: Public
  143. source_ports:
  144. - comment: something
  145. port: 2222
  146. protocol: tcp
  147. - comment: something_else
  148. port: 4444
  149. protocol: tcp
  150. rich_public:
  151. description: Example
  152. rich_rules:
  153. http-priority:
  154. accept: true
  155. ipsets:
  156. - other-ipset
  157. priority: 15
  158. services:
  159. - http
  160. ssh-csg:
  161. accept: true
  162. ipsets:
  163. - fail2ban-ssh
  164. - other-ipset
  165. services:
  166. - ssh
  167. short: rich_public