Paul
3 年前
+ 5
- 2
_states/ufw.py
查看文件
| @@ -192,9 +192,12 @@ def default_outgoing(name, default): | |||
| def deny(name, app=None, interface=None, protocol=None, | |||
| from_addr=None, from_port=None, to_addr=None, to_port=None, comment=None): | |||
| from_addr=None, from_port=None, to_addr=None, to_port=None, comment=None, force_first=True): | |||
| return _add_rule('insert 1 deny', name, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment) | |||
| if force_first is False: | |||
| return _add_rule('deny', name, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment) | |||
| else: | |||
| return _add_rule('insert 1 deny', name, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment) | |||
| def limit(name, app=None, interface=None, protocol=None, | |||
+ 19
- 0
docs/README.rst
查看文件
| @@ -151,6 +151,25 @@ Allow an application defined at /etc/ufw/applications.d/: | |||
| applications: | |||
| - OpenSSH | |||
| Allow generic traffic on ens7, and allow 1 ip to access port 22 and explicitly block all others: | |||
| .. code-block:: | |||
| ufw: | |||
| interfaces: | |||
| ens7: | |||
| services: | |||
| 22: | |||
| protocol: tcp | |||
| to_port: 22 | |||
| from_addr: | |||
| - 192.168.1.1 | |||
| 22/deny: | |||
| protocol: tcp | |||
| to_port: 22 | |||
| deny: true | |||
| force_first: false | |||
| Testing | |||
| ------- | |||
+ 3
- 1
pillar.example
查看文件
| @@ -61,10 +61,12 @@ ufw: | |||
| protocol: tcp | |||
| comment: Netbios | |||
| # Deny from a specific port, by number. | |||
| # Deny from a specific port, by number, but don't force | |||
| # the rule as the first rule in the ufw state | |||
| 140: | |||
| protocol: tcp | |||
| deny: true | |||
| force_first: false | |||
| # Deny everything from a specific ip address | |||
| '*': | |||
+ 5
- 0
test/salt/pillar/default.sls
查看文件
| @@ -34,3 +34,8 @@ ufw: | |||
| '443': | |||
| protocol: tcp | |||
| comment: Allow HTTPS | |||
| '1000': | |||
| protocol: tcp | |||
| deny: true | |||
| force_first: false | |||
| comment: Deny 1000 not as first | |||
+ 9
- 5
ufw/config/applications.sls
查看文件
| @@ -22,11 +22,12 @@ include: | |||
| {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw %} | |||
| {%- for from_addr in from_addrs %} | |||
| {%- set deny = app_details.get('deny', None) %} | |||
| {%- set limit = app_details.get('limit', None) %} | |||
| {%- set method = 'deny' if deny else ('limit' if limit else 'allow') %} | |||
| {%- set to_addr = app_details.get('to_addr', None) %} | |||
| {%- set comment = app_details.get('comment', None) %} | |||
| {%- set deny = app_details.get('deny', None) %} | |||
| {%- set force_first = app_details.get('force_first', None) %} | |||
| {%- set limit = app_details.get('limit', None) %} | |||
| {%- set method = 'deny' if deny else ('limit' if limit else 'allow') %} | |||
| {%- set to_addr = app_details.get('to_addr', None) %} | |||
| {%- set comment = app_details.get('comment', None) %} | |||
| {%- if from_addr is not none %} | |||
| ufw-app-{{ method }}-{{ app_name }}-{{ from_addr }}: | |||
| @@ -35,6 +36,9 @@ ufw-app-{{ method }}-{{ app_name }}: | |||
| {%- endif %} | |||
| ufw.{{ method }}: | |||
| - app: '"{{ app_name }}"' | |||
| {%- if force_first is not none %} | |||
| - force_first: {{ force_first }} | |||
| {%- endif %} | |||
| {%- if from_addr is not none %} | |||
| - from_addr: {{ from_addr }} | |||
| {%- endif %} | |||
+ 12
- 8
ufw/config/services.sls
查看文件
| @@ -22,20 +22,24 @@ include: | |||
| {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw %} | |||
| {%- for from_addr in from_addrs %} | |||
| {%- set protocol = service_details.get('protocol', None) %} | |||
| {%- set deny = service_details.get('deny', None) %} | |||
| {%- set limit = service_details.get('limit', None) %} | |||
| {%- set method = 'deny' if deny else ('limit' if limit else 'allow') %} | |||
| {%- set from_port = service_details.get('from_port', None) %} | |||
| {%- set to_addr = service_details.get('to_addr', None) %} | |||
| {%- set to_port = service_details.get('to_port', service_name) %} | |||
| {%- set comment = service_details.get('comment', None) %} | |||
| {%- set protocol = service_details.get('protocol', None) %} | |||
| {%- set deny = service_details.get('deny', None) %} | |||
| {%- set force_first = service_details.get('force_first', None) %} | |||
| {%- set limit = service_details.get('limit', None) %} | |||
| {%- set method = 'deny' if deny else ('limit' if limit else 'allow') %} | |||
| {%- set from_port = service_details.get('from_port', None) %} | |||
| {%- set to_addr = service_details.get('to_addr', None) %} | |||
| {%- set to_port = service_details.get('to_port', service_name) %} | |||
| {%- set comment = service_details.get('comment', None) %} | |||
| ufw-svc-{{ method }}-{{ service_name }}-{{ from_addr }}: | |||
| ufw.{{ method }}: | |||
| {%- if protocol is not none %} | |||
| - protocol: {{ protocol }} | |||
| {%- endif %} | |||
| {%- if force_first is not none %} | |||
| - force_first: {{ force_first }} | |||
| {%- endif %} | |||
| {%- if from_addr is not none %} | |||
| - from_addr: {{ from_addr }} | |||
| {%- endif %} | |||
正在加载...