Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216
  1. .. _readme:
  2. ufw-formula
  3. ===========
  4. |img_travis| |img_sr|
  5. .. |img_travis| image:: https://travis-ci.com/saltstack-formulas/ufw-formula.svg?branch=master
  6. :alt: Travis CI Build Status
  7. :scale: 100%
  8. :target: https://travis-ci.com/saltstack-formulas/ufw-formula
  9. .. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg
  10. :alt: Semantic Release
  11. :scale: 100%
  12. :target: https://github.com/semantic-release/semantic-release
  13. Formula to set up and configure ufw
  14. .. contents:: **Table of Contents**
  15. General notes
  16. -------------
  17. See the full `SaltStack Formulas installation and usage instructions
  18. <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.
  19. If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section
  20. <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas>`_.
  21. If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,
  22. which contains the currently released version. This formula is versioned according to `Semantic Versioning <http://semver.org/>`_.
  23. See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details.
  24. Contributing to this repo
  25. -------------------------
  26. **Commit message formatting is significant!!**
  27. Please see `How to contribute <https://github.com/saltstack-formulas/.github/blob/master/CONTRIBUTING.rst>`_ for more details.
  28. Available states
  29. ----------------
  30. .. contents::
  31. :local:
  32. ``ufw``
  33. ^^^^^^^
  34. Installs and configures the ufw package.
  35. ``ufw.package``
  36. ^^^^^^^^^^^^^^^
  37. Installs the ufw package.
  38. ``ufw.config``
  39. ^^^^^^^^^^^^^^
  40. This state manages the file ``ufw.conf`` under ``/etc/ufw`` (template found in "ufw/files"). The configuration is populated by values in "ufw/map.jinja" based on the package's default values (and RedHat, Debian, Suse and Arch family distribution specific values), which can then be overridden by values of the same name in pillar.
  41. Usage
  42. -----
  43. All the configuration for the firewall is done via pillar (pillar.example).
  44. Enable firewall, applying default configuration:
  45. .. code-block:: javascript
  46. ufw:
  47. enabled: True
  48. Allow 80/tcp (http) traffic from only two remote addresses:
  49. .. code-block::
  50. ufw:
  51. services:
  52. http:
  53. protocol: tcp
  54. from_addr:
  55. - 10.0.2.15
  56. - 10.0.2.16
  57. Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip:
  58. .. code-block::
  59. ufw:
  60. services:
  61. https:
  62. protocol: tcp
  63. from_addr:
  64. - 10.0.0.0/8
  65. to_addr: 10.0.2.1
  66. Allow from a service port:
  67. .. code-block::
  68. ufw:
  69. services:
  70. smtp:
  71. protocol: tcp
  72. Allow from an specific port, by number:
  73. .. code-block::
  74. ufw:
  75. services:
  76. 139:
  77. protocol: tcp
  78. Allow from a range of ports, udp:
  79. .. code-block::
  80. ufw:
  81. services:
  82. "10000:20000":
  83. protocol: udp
  84. Allow from a range of ports, tcp and udp
  85. .. code-block::
  86. ufw:
  87. services:
  88. "10000:20000/tcp":
  89. to_port: "10000:20000"
  90. protocol: tcp
  91. "10000:20000/udp":
  92. to_port: "10000:20000"
  93. protocol: udp
  94. Allow from two specific ports, udp:
  95. .. code-block::
  96. ufw:
  97. services:
  98. "30000,40000":
  99. protocol: udp
  100. Allow an application defined at /etc/ufw/applications.d/:
  101. .. code-block::
  102. ufw:
  103. applications:
  104. - OpenSSH
  105. Allow generic traffic on ens7, and allow 1 ip to access port 22 and explicitly block all others:
  106. .. code-block::
  107. ufw:
  108. interfaces:
  109. ens7:
  110. services:
  111. 22:
  112. protocol: tcp
  113. to_port: 22
  114. from_addr:
  115. - 192.168.1.1
  116. 22/deny:
  117. protocol: tcp
  118. to_port: 22
  119. deny: true
  120. force_first: false
  121. Testing
  122. -------
  123. Linux testing is done with ``kitchen-salt``.
  124. Requirements
  125. ^^^^^^^^^^^^
  126. * Ruby
  127. * Docker
  128. .. code-block:: bash
  129. $ gem install bundler
  130. $ bundle install
  131. $ bin/kitchen test [platform]
  132. Where ``[platform]`` is the platform name defined in ``kitchen.yml``,
  133. e.g. ``debian-9-2019-2-py3``.
  134. ``bin/kitchen converge``
  135. ^^^^^^^^^^^^^^^^^^^^^^^^
  136. Creates the docker instance and runs the ``ufw`` main state, ready for testing.
  137. ``bin/kitchen verify``
  138. ^^^^^^^^^^^^^^^^^^^^^^
  139. Runs the ``inspec`` tests on the actual instance.
  140. ``bin/kitchen destroy``
  141. ^^^^^^^^^^^^^^^^^^^^^^^
  142. Removes the docker instance.
  143. ``bin/kitchen test``
  144. ^^^^^^^^^^^^^^^^^^^^
  145. Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.
  146. ``bin/kitchen login``
  147. ^^^^^^^^^^^^^^^^^^^^^
  148. Gives you SSH access to the instance for manual testing.