Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

pillar.example 2.4KB

10 jaren geleden
8 jaren geleden
6 jaren geleden
8 jaren geleden
10 jaren geleden
10 jaren geleden
10 jaren geleden
10 jaren geleden
10 jaren geleden
10 jaren geleden
10 jaren geleden
10 jaren geleden
10 jaren geleden
10 jaren geleden
8 jaren geleden
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115
  1. ufw:
  2. enabled: True
  3. settings:
  4. loglevel: low
  5. ipv6: True
  6. default_input_policy: 'DROP'
  7. default_output_policy: 'ACCEPT'
  8. default_forward_policy: 'DROP'
  9. default_application_policy: 'SKIP'
  10. manage_builtins: False
  11. ipt_sysctl: '/etc/ufw/sysctl.conf'
  12. ipt_modules:
  13. - nf_conntrack_ftp
  14. - nf_nat_ftp
  15. - nf_conntrack_netbios_ns
  16. sysctl:
  17. forwarding: 1
  18. rp_filter: 1
  19. accept_source_route: 0
  20. accept_redirects: 0
  21. icmp_echo_ignore_broadcasts: 1
  22. icmp_ignore_bogus_error_responses: 1
  23. icmp_echo_ignore_all: 0
  24. log_martians: 0
  25. tcp_syncookies: 0
  26. tcp_sack: 1
  27. ipv6_autoconf: 1
  28. use_tempaddr: 1
  29. services:
  30. # Allow 80/tcp (http) traffic from only two remote addresses.
  31. http:
  32. protocol: tcp
  33. from_addr:
  34. - 10.0.2.15
  35. - 10.0.2.16
  36. comment: Upstream loadbalancers
  37. # Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip.
  38. https:
  39. protocol: tcp
  40. from_addr:
  41. - 10.0.0.0/8
  42. to_addr: 10.0.2.1
  43. comment: Intraweb portal
  44. # Allow from a service port.
  45. smtp:
  46. protocol: tcp
  47. comment: Mail relay
  48. # Allow from a specific port, by number.
  49. 139:
  50. protocol: tcp
  51. comment: Netbios
  52. # Deny from a specific port, by number.
  53. 140:
  54. protocol: tcp
  55. deny: True
  56. # Deny everything from a specific ip address
  57. '*':
  58. protocol: tcp
  59. deny: True
  60. from_addr: 10.0.0.1
  61. # Deny everything from multiple ip addresses and avoid
  62. # conflicts with already defined service '*'
  63. '*/multiple':
  64. to_port: '*'
  65. protocol: tcp
  66. deny: True
  67. from_addr:
  68. - 10.0.0.2
  69. - 10.0.0.3
  70. # Limit a specific port, by number.
  71. 170:
  72. limit: True
  73. protocol: tcp
  74. comment: Print service
  75. # Allow from a range of ports, udp.
  76. "10000:20000":
  77. protocol: udp
  78. comment: We need ports, lots of ports
  79. # Allow from two specific ports, udp.
  80. "30000,40000":
  81. protocol: udp
  82. comment: Game server and admin
  83. # Allow applications defined at /etc/ufw/applications.d/
  84. applications:
  85. OpenSSH:
  86. enabled: True
  87. comment: We are using fail2ban anyway
  88. # Limit access to salt master
  89. Saltmaster:
  90. limit: True
  91. # Deny access to Postgresql
  92. Postgresql:
  93. deny: True
  94. # Allow all traffic in on the specified interface
  95. interfaces:
  96. eth1:
  97. comment: Honey pot