.. _readme: ufw-formula =========== |img_travis| |img_sr| .. |img_travis| image:: https://travis-ci.com/saltstack-formulas/ufw-formula.svg?branch=master :alt: Travis CI Build Status :scale: 100% :target: https://travis-ci.com/saltstack-formulas/ufw-formula .. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg :alt: Semantic Release :scale: 100% :target: https://github.com/semantic-release/semantic-release Formula to set up and configure ufw .. contents:: **Table of Contents** General notes ------------- See the full `SaltStack Formulas installation and usage instructions `_. If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section `_. If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``, which contains the currently released version. This formula is versioned according to `Semantic Versioning `_. See `Formula Versioning Section `_ for more details. Contributing to this repo ------------------------- **Commit message formatting is significant!!** Please see `How to contribute `_ for more details. Available states ---------------- .. contents:: :local: ``ufw`` ^^^^^^^ Installs and configures the ufw package. ``ufw.package`` ^^^^^^^^^^^^^^^ Installs the ufw package. ``ufw.config`` ^^^^^^^^^^^^^^ This state manages the file ``ufw.conf`` under ``/etc/ufw`` (template found in "ufw/files"). The configuration is populated by values in "ufw/map.jinja" based on the package's default values (and RedHat, Debian, Suse and Arch family distribution specific values), which can then be overridden by values of the same name in pillar. Usage ----- All the configuration for the firewall is done via pillar (pillar.example). Enable firewall, applying default configuration: .. code-block:: javascript ufw: enabled: True Allow 80/tcp (http) traffic from only two remote addresses: .. code-block:: ufw: services: http: protocol: tcp from_addr: - 10.0.2.15 - 10.0.2.16 Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip: .. code-block:: ufw: services: https: protocol: tcp from_addr: - 10.0.0.0/8 to_addr: 10.0.2.1 Allow from a service port: .. code-block:: ufw: services: smtp: protocol: tcp Allow from an specific port, by number: .. code-block:: ufw: services: 139: protocol: tcp Allow from a range of ports, udp: .. code-block:: ufw: services: "10000:20000": protocol: udp Allow from a range of ports, tcp and udp .. code-block:: ufw: services: "10000:20000/tcp": to_port: "10000:20000" protocol: tcp "10000:20000/udp": to_port: "10000:20000" protocol: udp Allow from two specific ports, udp: .. code-block:: ufw: services: "30000,40000": protocol: udp Allow an application defined at /etc/ufw/applications.d/: .. code-block:: ufw: applications: - OpenSSH Allow generic traffic on ens7, and allow 1 ip to access port 22 and explicitly block all others: .. code-block:: ufw: interfaces: ens7: services: 22: protocol: tcp to_port: 22 from_addr: - 192.168.1.1 22/deny: protocol: tcp to_port: 22 deny: true force_first: false Testing ------- Linux testing is done with ``kitchen-salt``. Requirements ^^^^^^^^^^^^ * Ruby * Docker .. code-block:: bash $ gem install bundler $ bundle install $ bin/kitchen test [platform] Where ``[platform]`` is the platform name defined in ``kitchen.yml``, e.g. ``debian-9-2019-2-py3``. ``bin/kitchen converge`` ^^^^^^^^^^^^^^^^^^^^^^^^ Creates the docker instance and runs the ``ufw`` main state, ready for testing. ``bin/kitchen verify`` ^^^^^^^^^^^^^^^^^^^^^^ Runs the ``inspec`` tests on the actual instance. ``bin/kitchen destroy`` ^^^^^^^^^^^^^^^^^^^^^^^ Removes the docker instance. ``bin/kitchen test`` ^^^^^^^^^^^^^^^^^^^^ Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``. ``bin/kitchen login`` ^^^^^^^^^^^^^^^^^^^^^ Gives you SSH access to the instance for manual testing.