Saltstack Official UFW Formula
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

4.7KB

.. _readme:

ufw-formula
===========

|img_travis| |img_sr|

.. |img_travis| image:: https://travis-ci.com/saltstack-formulas/ufw-formula.svg?branch=master
:alt: Travis CI Build Status
:scale: 100%
:target: https://travis-ci.com/saltstack-formulas/ufw-formula
.. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg
:alt: Semantic Release
:scale: 100%
:target: https://github.com/semantic-release/semantic-release

Formula to set up and configure ufw

.. contents:: **Table of Contents**

General notes
-------------

See the full `SaltStack Formulas installation and usage instructions
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.

If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas>`_.

If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,
which contains the currently released version. This formula is versioned according to `Semantic Versioning <http://semver.org/>`_.

See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details.

Contributing to this repo
-------------------------

**Commit message formatting is significant!!**

Please see `How to contribute <https://github.com/saltstack-formulas/.github/blob/master/CONTRIBUTING.rst>`_ for more details.

Available states
----------------

.. contents::
:local:

``ufw``
^^^^^^^
Installs and configures the ufw package.

``ufw.package``
^^^^^^^^^^^^^^^
Installs the ufw package.

``ufw.config``
^^^^^^^^^^^^^^
This state manages the file ``ufw.conf`` under ``/etc/ufw`` (template found in "ufw/files"). The configuration is populated by values in "ufw/map.jinja" based on the package's default values (and RedHat, Debian, Suse and Arch family distribution specific values), which can then be overridden by values of the same name in pillar.


Usage
-----

All the configuration for the firewall is done via pillar (pillar.example).

Enable firewall, applying default configuration:

.. code-block:: javascript

ufw:
enabled: True

Allow 80/tcp (http) traffic from only two remote addresses:

.. code-block::

ufw:
services:
http:
protocol: tcp
from_addr:
- 10.0.2.15
- 10.0.2.16

Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip:

.. code-block::

ufw:
services:
https:
protocol: tcp
from_addr:
- 10.0.0.0/8
to_addr: 10.0.2.1

Allow from a service port:

.. code-block::

ufw:
services:
smtp:
protocol: tcp

Allow from an specific port, by number:

.. code-block::

ufw:
services:
139:
protocol: tcp

Allow from a range of ports, udp:

.. code-block::

ufw:
services:
"10000:20000":
protocol: udp

Allow from a range of ports, tcp and udp

.. code-block::

ufw:
services:
"10000:20000/tcp":
to_port: "10000:20000"
protocol: tcp
"10000:20000/udp":
to_port: "10000:20000"
protocol: udp

Allow from two specific ports, udp:

.. code-block::

ufw:
services:
"30000,40000":
protocol: udp

Allow an application defined at /etc/ufw/applications.d/:

.. code-block::

ufw:
applications:
- OpenSSH

Allow generic traffic on ens7, and allow 1 ip to access port 22 and explicitly block all others:

.. code-block::

ufw:
interfaces:
ens7:
services:
22:
protocol: tcp
to_port: 22
from_addr:
- 192.168.1.1
22/deny:
protocol: tcp
to_port: 22
deny: true
force_first: false

Testing
-------

Linux testing is done with ``kitchen-salt``.

Requirements
^^^^^^^^^^^^

* Ruby
* Docker

.. code-block:: bash

$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where ``[platform]`` is the platform name defined in ``kitchen.yml``,
e.g. ``debian-9-2019-2-py3``.

``bin/kitchen converge``
^^^^^^^^^^^^^^^^^^^^^^^^

Creates the docker instance and runs the ``ufw`` main state, ready for testing.

``bin/kitchen verify``
^^^^^^^^^^^^^^^^^^^^^^

Runs the ``inspec`` tests on the actual instance.

``bin/kitchen destroy``
^^^^^^^^^^^^^^^^^^^^^^^

Removes the docker instance.

``bin/kitchen test``
^^^^^^^^^^^^^^^^^^^^

Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.

``bin/kitchen login``
^^^^^^^^^^^^^^^^^^^^^

Gives you SSH access to the instance for manual testing.