Saltstack Official UFW Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

119 lines
2.5KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. ufw:
  5. enabled: true
  6. settings:
  7. loglevel: low
  8. ipv6: true
  9. default_input_policy: 'DROP'
  10. default_output_policy: 'ACCEPT'
  11. default_forward_policy: 'DROP'
  12. default_application_policy: 'SKIP'
  13. manage_builtins: false
  14. ipt_sysctl: '/etc/ufw/sysctl.conf'
  15. ipt_modules:
  16. - nf_conntrack_ftp
  17. - nf_nat_ftp
  18. - nf_conntrack_netbios_ns
  19. sysctl:
  20. forwarding: 1
  21. rp_filter: 1
  22. accept_source_route: 0
  23. accept_redirects: 0
  24. icmp_echo_ignore_broadcasts: 1
  25. icmp_ignore_bogus_error_responses: 1
  26. icmp_echo_ignore_all: 0
  27. log_martians: 0
  28. tcp_syncookies: 0
  29. tcp_sack: 1
  30. ipv6_autoconf: 1
  31. use_tempaddr: 1
  32. services:
  33. # Allow 80/tcp (http) traffic from only two remote addresses.
  34. http:
  35. protocol: tcp
  36. from_addr:
  37. - 10.0.2.15
  38. - 10.0.2.16
  39. comment: Upstream loadbalancers
  40. # Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip.
  41. https:
  42. protocol: tcp
  43. from_addr:
  44. - 10.0.0.0/8
  45. to_addr: 10.0.2.1
  46. comment: Intraweb portal
  47. # Allow from a service port.
  48. smtp:
  49. protocol: tcp
  50. comment: Mail relay
  51. # Allow from a specific port, by number.
  52. 139:
  53. protocol: tcp
  54. comment: Netbios
  55. # Deny from a specific port, by number.
  56. 140:
  57. protocol: tcp
  58. deny: true
  59. # Deny everything from a specific ip address
  60. '*':
  61. protocol: tcp
  62. deny: true
  63. from_addr: 10.0.0.1
  64. # Deny everything from multiple ip addresses and avoid
  65. # conflicts with already defined service '*'
  66. '*/multiple':
  67. to_port: '*'
  68. protocol: tcp
  69. deny: true
  70. from_addr:
  71. - 10.0.0.2
  72. - 10.0.0.3
  73. # Limit a specific port, by number.
  74. 170:
  75. limit: true
  76. protocol: tcp
  77. comment: Print service
  78. # Allow from a range of ports, udp.
  79. "10000:20000":
  80. protocol: udp
  81. comment: We need ports, lots of ports
  82. # Allow from two specific ports, udp.
  83. "30000,40000":
  84. protocol: udp
  85. comment: Game server and admin
  86. # Allow applications defined at /etc/ufw/applications.d/
  87. applications:
  88. OpenSSH:
  89. enabled: true
  90. comment: We are using fail2ban anyway
  91. # Limit access to salt master
  92. Saltmaster:
  93. limit: true
  94. # Deny access to Postgresql
  95. Postgresql:
  96. deny: true
  97. # Allow all traffic in on the specified interface
  98. interfaces:
  99. eth1:
  100. comment: Honey pot