|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216 |
- .. _readme:
-
- ufw-formula
- ===========
-
- |img_travis| |img_sr|
-
- .. |img_travis| image:: https://travis-ci.com/saltstack-formulas/ufw-formula.svg?branch=master
- :alt: Travis CI Build Status
- :scale: 100%
- :target: https://travis-ci.com/saltstack-formulas/ufw-formula
- .. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg
- :alt: Semantic Release
- :scale: 100%
- :target: https://github.com/semantic-release/semantic-release
-
- Formula to set up and configure ufw
-
- .. contents:: **Table of Contents**
-
- General notes
- -------------
-
- See the full `SaltStack Formulas installation and usage instructions
- <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.
-
- If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section
- <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas>`_.
-
- If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,
- which contains the currently released version. This formula is versioned according to `Semantic Versioning <http://semver.org/>`_.
-
- See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details.
-
- Contributing to this repo
- -------------------------
-
- **Commit message formatting is significant!!**
-
- Please see `How to contribute <https://github.com/saltstack-formulas/.github/blob/master/CONTRIBUTING.rst>`_ for more details.
-
- Available states
- ----------------
-
- .. contents::
- :local:
-
- ``ufw``
- ^^^^^^^
- Installs and configures the ufw package.
-
- ``ufw.package``
- ^^^^^^^^^^^^^^^
- Installs the ufw package.
-
- ``ufw.config``
- ^^^^^^^^^^^^^^
- This state manages the file ``ufw.conf`` under ``/etc/ufw`` (template found in "ufw/files"). The configuration is populated by values in "ufw/map.jinja" based on the package's default values (and RedHat, Debian, Suse and Arch family distribution specific values), which can then be overridden by values of the same name in pillar.
-
-
- Usage
- -----
-
- All the configuration for the firewall is done via pillar (pillar.example).
-
- Enable firewall, applying default configuration:
-
- .. code-block:: javascript
-
- ufw:
- enabled: True
-
- Allow 80/tcp (http) traffic from only two remote addresses:
-
- .. code-block::
-
- ufw:
- services:
- http:
- protocol: tcp
- from_addr:
- - 10.0.2.15
- - 10.0.2.16
-
- Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip:
-
- .. code-block::
-
- ufw:
- services:
- https:
- protocol: tcp
- from_addr:
- - 10.0.0.0/8
- to_addr: 10.0.2.1
-
- Allow from a service port:
-
- .. code-block::
-
- ufw:
- services:
- smtp:
- protocol: tcp
-
- Allow from an specific port, by number:
-
- .. code-block::
-
- ufw:
- services:
- 139:
- protocol: tcp
-
- Allow from a range of ports, udp:
-
- .. code-block::
-
- ufw:
- services:
- "10000:20000":
- protocol: udp
-
- Allow from a range of ports, tcp and udp
-
- .. code-block::
-
- ufw:
- services:
- "10000:20000/tcp":
- to_port: "10000:20000"
- protocol: tcp
- "10000:20000/udp":
- to_port: "10000:20000"
- protocol: udp
-
- Allow from two specific ports, udp:
-
- .. code-block::
-
- ufw:
- services:
- "30000,40000":
- protocol: udp
-
- Allow an application defined at /etc/ufw/applications.d/:
-
- .. code-block::
-
- ufw:
- applications:
- - OpenSSH
-
- Allow generic traffic on ens7, and allow 1 ip to access port 22 and explicitly block all others:
-
- .. code-block::
-
- ufw:
- interfaces:
- ens7:
- services:
- 22:
- protocol: tcp
- to_port: 22
- from_addr:
- - 192.168.1.1
- 22/deny:
- protocol: tcp
- to_port: 22
- deny: true
- force_first: false
-
- Testing
- -------
-
- Linux testing is done with ``kitchen-salt``.
-
- Requirements
- ^^^^^^^^^^^^
-
- * Ruby
- * Docker
-
- .. code-block:: bash
-
- $ gem install bundler
- $ bundle install
- $ bin/kitchen test [platform]
-
- Where ``[platform]`` is the platform name defined in ``kitchen.yml``,
- e.g. ``debian-9-2019-2-py3``.
-
- ``bin/kitchen converge``
- ^^^^^^^^^^^^^^^^^^^^^^^^
-
- Creates the docker instance and runs the ``ufw`` main state, ready for testing.
-
- ``bin/kitchen verify``
- ^^^^^^^^^^^^^^^^^^^^^^
-
- Runs the ``inspec`` tests on the actual instance.
-
- ``bin/kitchen destroy``
- ^^^^^^^^^^^^^^^^^^^^^^^
-
- Removes the docker instance.
-
- ``bin/kitchen test``
- ^^^^^^^^^^^^^^^^^^^^
-
- Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.
-
- ``bin/kitchen login``
- ^^^^^^^^^^^^^^^^^^^^^
-
- Gives you SSH access to the instance for manual testing.
|