8 år sedan · fdebd369b9
--- a/_states/ufw.py
+++ b/_states/ufw.py
@@ -30,7 +30,20 @@ def _resolve(host):
 def _as_rule(method, app, interface, protocol, from_addr, from_port, to_addr, to_port):
    cmd = [method]
    if app is not None:
        cmd.append(app)
      cmd.append("from")
      if from_addr is not None:
        cmd.append(from_addr)
      else:
        cmd.append("any")

      cmd.append("to")
      if to_addr is not None:
        cmd.append(to_addr)
      else:
        cmd.append("any")

      cmd.append("app")
      cmd.append(app)
    elif interface is not None:
    	cmd.append("in")
    	cmd.append("on")
--- a/pillar.example
+++ b/pillar.example
@@ -2,6 +2,33 @@ ufw:

  enabled: True

  settings:
    ipv6: True
    default_input_policy: 'DROP'
    default_output_policy: 'ACCEPT'
    default_forward_policy: 'DROP'
    default_application_policy: 'SKIP'
    manage_builtins: False
    ipt_sysctl: '/etc/ufw/sysctl.conf'
    ipt_modules:
      - nf_conntrack_ftp
      - nf_nat_ftp
      - nf_conntrack_netbios_ns

  sysctl:
    forwarding: 1
    rp_filter: 1
    accept_source_route: 0
    accept_redirects: 0
    icmp_echo_ignore_broadcasts: 1
    icmp_ignore_bogus_error_responses: 1
    icmp_echo_ignore_all: 0
    log_martians: 0
    tcp_syncookies: 0
    tcp_sack: 1
    ipv6_autoconf: 1
    use_tempaddr: 1

  services:

    # Allow 80/tcp (http) traffic from only two remote addresses.
@@ -36,8 +63,9 @@ ufw:

  # Allow an application defined at /etc/ufw/applications.d/
  applications:
    - OpenSSH
    OpenSSH:
      enabled: True

  # Allow all traffic in on the specified interface
  interfaces:
    - eth1
    - eth1
--- a/ufw/init.sls
+++ b/ufw/init.sls
@@ -1,12 +1,33 @@
 # UFW management module
 {%- set ufw = pillar.get('ufw', {}) %}
 {%- if ufw.get('enabled', False) %}
 {% set default_template = ufw.get('default_template', 'salt://ufw/templates/default.jinja') -%}
 {% set sysctl_template = ufw.get('sysctl_template', 'salt://ufw/templates/sysctl.jinja') -%}

 ufw:
  pkg:
    - installed
  pkg.installed:
    - name: ufw
  service.running:
    - enable: True
    - watch:
      - file: /etc/default/ufw
      - file: /etc/ufw/sysctl.conf

 /etc/default/ufw:
  file.managed:
    - template: jinja
    - user: root
    - group: root
    - mode: 644
    - source: {{ default_template }}

 /etc/ufw/sysctl.conf:
  file.managed:
    - template: jinja
    - user: root
    - group: root
    - mode: 644
    - source: {{ sysctl_template }}

  {%- if ufw.get('defaults', {}).get('incoming', False) %}

@@ -59,14 +80,28 @@ ufw-svc-{{service_name}}-{{from_addr}}:
  {%- endfor %}

  # Applications
  {%- for app_name in ufw.get('applications', []) %}

  {%- for app_name, app_details in ufw.get('applications', {}).items() %}
    
    {%- for from_addr in app_details.get('from_addr', [None]) %}
      {%- set to_addr = app_details.get('to_addr', None) %}

 {%- if from_addr != None%}
 ufw-app-{{app_name}}-{{from_addr}}:
 {%- else %}
 ufw-app-{{app_name}}:
 {%- endif %}
  ufw.allowed:
    - app: {{app_name}}
    - app: '"{{app_name}}"'
    {%- if from_addr != None %}
    - from_addr: {{from_addr}}
    {%- endif %}
    {%- if to_addr != None %}
    - to_addr: {{to_addr}}
    {%- endif %}
    - require:
      - pkg: ufw

    {%- endfor %}
  {%- endfor %}
  
  # Interfaces
@@ -96,6 +131,12 @@ enable-ufw:
    - require:
      - pkg: ufw

 disable-logging:
  cmd.run:
    - name: ufw logging off
    - unless: "grep 'LOGLEVEL=off' /etc/ufw/ufw.conf"


 {% else %}
  #ufw:
    #ufw:
--- a/ufw/python.sls
+++ b/ufw/python.sls
@@ -0,0 +1,3 @@
 python-ufw:
  pkg.installed:
    - name: python-ufw
--- a/ufw/templates/default.jinja
+++ b/ufw/templates/default.jinja
@@ -0,0 +1,56 @@
 {% set ufw_cfg = pillar.get('ufw', {}) -%}
 {% set settings_cfg = ufw_cfg.get('settings', {}) -%}
 {% set ipv6 = "yes" if settings_cfg.get('ipv6', True) else "no" -%}
 {% set default_input_policy = settings_cfg.get('default_input_policy', 'DROP') -%}
 {% set default_output_policy = settings_cfg.get('default_output_policy', 'ACCEPT') -%}
 {% set default_forward_policy = settings_cfg.get('default_forward_policy', 'DROP') -%}
 {% set default_application_policy = settings_cfg.get('default_application_policy', 'SKIP') -%}
 {% set manage_builtins = "yes" if settings_cfg.get('manage_builtins', False) else "no" -%}
 {% set ipt_sysctl = settings_cfg.get('ipt_sysctl', '/etc/ufw/sysctl.conf') -%}
 {% set ipt_modules = settings_cfg.get('ipt_modules', ['nf_conntrack_ftp', 'nf_nat_ftp', 'nf_conntrack_netbios_ns'])|join(" ") -%}

 # /etc/default/ufw
 #
 # File managed by Salt. Do not edit manually.

 # Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
 # accepted). You will need to 'disable' and then 'enable' the firewall for
 # the changes to take affect.
 IPV6={{ ipv6 }}

 # Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
 # you change this you will most likely want to adjust your rules.
 DEFAULT_INPUT_POLICY="{{ default_input_policy }}"

 # Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
 # you change this you will most likely want to adjust your rules.
 DEFAULT_OUTPUT_POLICY="{{ default_output_policy }}"

 # Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
 # if you change this you will most likely want to adjust your rules
 DEFAULT_FORWARD_POLICY="{{ default_forward_policy }}"

 # Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
 # note that setting this to ACCEPT may be a security risk. See 'man ufw' for
 # details
 DEFAULT_APPLICATION_POLICY="{{ default_application_policy }}"

 # By default, ufw only touches its own chains. Set this to 'yes' to have ufw
 # manage the built-in chains too. Warning: setting this to 'yes' will break
 # non-ufw managed firewall rules
 MANAGE_BUILTINS={{ manage_builtins }}

 #
 # IPT backend
 #
 # only enable if using iptables backend
 IPT_SYSCTL={{ ipt_sysctl }}

 # Extra connection tracking modules to load. Complete list can be found in
 # net/netfilter/Kconfig of your kernel source. Some common modules:
 # nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
 # nf_conntrack_netbios_ns: NetBIOS (samba) client support
 # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
 # nf_conntrack_ftp, nf_nat_ftp: active FTP support
 # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
 IPT_MODULES="{{ ipt_modules }}"
--- a/ufw/templates/sysctl.jinja
+++ b/ufw/templates/sysctl.jinja
@@ -0,0 +1,72 @@
 {% set ufw_cfg = pillar.get('ufw', {}) -%}
 {% set sysctl_cfg = ufw_cfg.get('sysctl', {}) -%}
 {% set forwarding = sysctl_cfg.get('forwarding', 0) -%}
 {% set rp_filter = sysctl_cfg.get('rp_filter', 1) -%}
 {% set accept_source_route = sysctl_cfg.get('accept_source_route', 0) -%}
 {% set accept_redirects = sysctl_cfg.get('accept_redirects', 0) -%}
 {% set icmp_echo_ignore_broadcasts = sysctl_cfg.get('icmp_echo_ignore_broadcasts', 1) -%}
 {% set icmp_ignore_bogus_error_responses = sysctl_cfg.get('icmp_ignore_bogus_error_responses', 1) -%}
 {% set icmp_echo_ignore_all = sysctl_cfg.get('icmp_echo_ignore_all', 0) -%}
 {% set log_martians = sysctl_cfg.get('log_martians', 0) -%}
 {% set tcp_syncookies = sysctl_cfg.get('tcp_syncookies', 0) -%}
 {% set tcp_sack = sysctl_cfg.get('tcp_sack', 1) -%}
 {% set ipv6_autoconf = sysctl_cfg.get('ipv6_autoconf', 1) -%}
 {% set use_tempaddr = sysctl_cfg.get('use_tempaddr', 1) -%}
 # File managed by Salt. Do not edit manually.
 #
 # Configuration file for setting network variables. Please note these settings
 # override /etc/sysctl.conf. If you prefer to use /etc/sysctl.conf, please
 # adjust IPT_SYSCTL in /etc/default/ufw.
 #

 # Uncomment this to allow this host to route packets between interfaces
 net/ipv4/ip_forward={{ forwarding }}
 net/ipv6/conf/default/forwarding={{ forwarding }}
 net/ipv6/conf/all/forwarding={{ forwarding }}

 # Turn on Source Address Verification in all interfaces to prevent some
 # spoofing attacks
 net/ipv4/conf/default/rp_filter={{ rp_filter }}
 net/ipv4/conf/all/rp_filter={{ rp_filter }}

 # Do not accept IP source route packets (we are not a router)
 net/ipv4/conf/default/accept_source_route={{ accept_source_route }}
 net/ipv4/conf/all/accept_source_route={{ accept_source_route }}
 net/ipv6/conf/default/accept_source_route={{ accept_source_route }}
 net/ipv6/conf/all/accept_source_route={{ accept_source_route }}

 # Disable ICMP redirects. ICMP redirects are rarely used but can be used in
 # MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
 # traffic to those sites.
 net/ipv4/conf/default/accept_redirects={{ accept_redirects }}
 net/ipv4/conf/all/accept_redirects={{ accept_redirects }}
 net/ipv6/conf/default/accept_redirects={{ accept_redirects }}
 net/ipv6/conf/all/accept_redirects={{ accept_redirects }}

 # Ignore bogus ICMP errors
 net/ipv4/icmp_echo_ignore_broadcasts={{ icmp_echo_ignore_broadcasts }}
 net/ipv4/icmp_ignore_bogus_error_responses={{ icmp_ignore_bogus_error_responses }}
 net/ipv4/icmp_echo_ignore_all={{ icmp_echo_ignore_all }}

 # Don't log Martian Packets (impossible packets)
 net/ipv4/conf/default/log_martians={{ log_martians }}
 net/ipv4/conf/all/log_martians={{ log_martians }}

 # Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling
 # (http://lkml.org/lkml/2008/2/5/167)
 net/ipv4/tcp_syncookies={{ tcp_syncookies }}

 #net/ipv4/tcp_fin_timeout=30
 #net/ipv4/tcp_keepalive_intvl=1800

 # normally allowing tcp_sack is ok, but if going through OpenBSD 3.8 RELEASE or
 # earlier pf firewall, should set this to 0
 net/ipv4/tcp_sack={{ tcp_sack }}

 # Uncomment this to turn off ipv6 autoconfiguration
 net/ipv6/conf/default/autoconf={{ ipv6_autoconf }}
 net/ipv6/conf/all/autoconf={{ ipv6_autoconf }}

 # Uncomment this to enable ipv6 privacy addressing
 net/ipv6/conf/default/use_tempaddr={{ use_tempaddr }}
 net/ipv6/conf/all/use_tempaddr={{ use_tempaddr }}