ExternalMirrors
/
ufw-formula
mirror of https://github.com/saltstack-formulas/ufw-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 12 Wiki Activity
Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
55 Commits
1 Branch
Tree: 404735d584
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '404735d584'
${ noResults }
ufw-formula/pillar.example

116 lines
2.4KB
Raw Blame History 

  1. ufw:

  2. 

  3.   enabled: True

  4. 

  5.   settings:

  6.     loglevel: low

  7.     ipv6: True

  8.     default_input_policy: 'DROP'

  9.     default_output_policy: 'ACCEPT'

  10.     default_forward_policy: 'DROP'

  11.     default_application_policy: 'SKIP'

  12.     manage_builtins: False

  13.     ipt_sysctl: '/etc/ufw/sysctl.conf'

  14.     ipt_modules:

  15.       - nf_conntrack_ftp

  16.       - nf_nat_ftp

  17.       - nf_conntrack_netbios_ns

  18. 

  19.   sysctl:

  20.     forwarding: 1

  21.     rp_filter: 1

  22.     accept_source_route: 0

  23.     accept_redirects: 0

  24.     icmp_echo_ignore_broadcasts: 1

  25.     icmp_ignore_bogus_error_responses: 1

  26.     icmp_echo_ignore_all: 0

  27.     log_martians: 0

  28.     tcp_syncookies: 0

  29.     tcp_sack: 1

  30.     ipv6_autoconf: 1

  31.     use_tempaddr: 1

  32. 

  33.   services:

  34. 

  35.     # Allow 80/tcp (http) traffic from only two remote addresses.

  36.     http:

  37.       protocol: tcp

  38.       from_addr:

  39.         - 10.0.2.15

  40.         - 10.0.2.16

  41.       comment: Upstream loadbalancers

  42. 

  43.     # Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip.

  44.     https:

  45.       protocol: tcp

  46.       from_addr:

  47.         - 10.0.0.0/8

  48.       to_addr: 10.0.2.1

  49.       comment: Intraweb portal

  50. 

  51.     # Allow from a service port.

  52.     smtp:

  53.       protocol: tcp

  54.       comment: Mail relay

  55. 

  56.     # Allow from a specific port, by number.

  57.     139:

  58.       protocol: tcp

  59.       comment: Netbios

  60. 

  61.     # Deny from a specific port, by number.

  62.     140:

  63.       protocol: tcp

  64.       deny: True

  65. 

  66.     # Deny everything from a specific ip address

  67.     '*':

  68.       protocol: tcp

  69.       deny: True

  70.       from_addr: 10.0.0.1

  71. 

  72.     # Deny everything from multiple ip addresses and avoid

  73.     # conflicts with already defined service '*'

  74.     '*/multiple':

  75.       to_port: '*'

  76.       protocol: tcp

  77.       deny: True

  78.       from_addr:

  79.         - 10.0.0.2

  80.         - 10.0.0.3

  81. 

  82.     # Limit a specific port, by number.

  83.     170:

  84.       limit: True

  85.       protocol: tcp

  86.       comment: Print service

  87. 

  88.     # Allow from a range of ports, udp.

  89.     "10000:20000":

  90.       protocol: udp

  91.       comment: We need ports, lots of ports

  92. 

  93.     # Allow from two specific ports, udp.

  94.     "30000,40000":

  95.       protocol: udp

  96.       comment: Game server and admin

  97. 

  98.   # Allow applications defined at /etc/ufw/applications.d/

  99.   applications:

  100.     OpenSSH:

  101.       enabled: True

  102.       comment: We are using fail2ban anyway

  103. 

  104.     # Limit access to salt master

  105.     Saltmaster:

  106.       limit: True

  107. 

  108.     # Deny access to Postgresql

  109.     Postgresql:

  110.       deny: True

  111. 

  112.   # Allow all traffic in on the specified interface

  113.   interfaces:

  114.     eth1:

  115.       comment: Honey pot