ExternalMirrors
/
ufw-formula
mirror of https://github.com/saltstack-formulas/ufw-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 12 Wiki Activity
Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
225 Commits
1 Branch
Tree: 1c83d4cbb4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1c83d4cbb4'
${ noResults }
ufw-formula/pillar.example

121 lines
2.5KB
Raw Blame History 

  1. # -*- coding: utf-8 -*-

  2. # vim: ft=yaml

  3. ---

  4. ufw:

  5. 

  6.   enabled: true

  7. 

  8.   settings:

  9.     loglevel: low

  10.     ipv6: true

  11.     default_input_policy: 'DROP'

  12.     default_output_policy: 'ACCEPT'

  13.     default_forward_policy: 'DROP'

  14.     default_application_policy: 'SKIP'

  15.     manage_builtins: false

  16.     ipt_sysctl: '/etc/ufw/sysctl.conf'

  17.     ipt_modules:

  18.       - nf_conntrack_ftp

  19.       - nf_nat_ftp

  20.       - nf_conntrack_netbios_ns

  21. 

  22.   sysctl:

  23.     forwarding: 1

  24.     rp_filter: 1

  25.     accept_source_route: 0

  26.     accept_redirects: 0

  27.     icmp_echo_ignore_broadcasts: 1

  28.     icmp_ignore_bogus_error_responses: 1

  29.     icmp_echo_ignore_all: 0

  30.     log_martians: 0

  31.     tcp_syncookies: 0

  32.     tcp_sack: 1

  33.     ipv6_autoconf: 1

  34.     use_tempaddr: 1

  35. 

  36.   services:

  37. 

  38.     # Allow 80/tcp (http) traffic from only two remote addresses.

  39.     http:

  40.       protocol: tcp

  41.       from_addr:

  42.         - 10.0.2.15

  43.         - 10.0.2.16

  44.       comment: Upstream loadbalancers

  45. 

  46.     # Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip.

  47.     https:

  48.       protocol: tcp

  49.       from_addr:

  50.         - 10.0.0.0/8

  51.       to_addr: 10.0.2.1

  52.       comment: Intraweb portal

  53. 

  54.     # Allow from a service port.

  55.     smtp:

  56.       protocol: tcp

  57.       comment: Mail relay

  58. 

  59.     # Allow from a specific port, by number.

  60.     139:

  61.       protocol: tcp

  62.       comment: Netbios

  63. 

  64.     # Deny from a specific port, by number, but don't force

  65.     # the rule as the first rule in the ufw state

  66.     140:

  67.       protocol: tcp

  68.       deny: true

  69.       force_first: false

  70. 

  71.     # Deny everything from a specific ip address

  72.     '*':

  73.       protocol: tcp

  74.       deny: true

  75.       from_addr: 10.0.0.1

  76. 

  77.     # Deny everything from multiple ip addresses and avoid

  78.     # conflicts with already defined service '*'

  79.     '*/multiple':

  80.       to_port: '*'

  81.       protocol: tcp

  82.       deny: true

  83.       from_addr:

  84.         - 10.0.0.2

  85.         - 10.0.0.3

  86. 

  87.     # Limit a specific port, by number.

  88.     170:

  89.       limit: true

  90.       protocol: tcp

  91.       comment: Print service

  92. 

  93.     # Allow from a range of ports, udp.

  94.     "10000:20000":

  95.       protocol: udp

  96.       comment: We need ports, lots of ports

  97. 

  98.     # Allow from two specific ports, udp.

  99.     "30000,40000":

  100.       protocol: udp

  101.       comment: Game server and admin

  102. 

  103.   # Allow applications defined at /etc/ufw/applications.d/

  104.   applications:

  105.     OpenSSH:

  106.       enabled: true

  107.       comment: We are using fail2ban anyway

  108. 

  109.     # Limit access to salt master

  110.     Saltmaster:

  111.       limit: true

  112. 

  113.     # Deny access to Postgresql

  114.     Postgresql:

  115.       deny: true

  116. 

  117.   # Allow all traffic in on the specified interface

  118.   interfaces:

  119.     eth1:

  120.       comment: Honey pot