ExternalMirrors
/
ufw-formula
mirror of https://github.com/saltstack-formulas/ufw-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 12 Wiki Activity
Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30 Commits
1 Branch
Tree: dd1c4b34a5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'dd1c4b34a5'
${ noResults }
ufw-formula/pillar.example

114 lines
2.3KB
Raw Blame History 

  1. ufw:

  2. 

  3.   enabled: True

  4. 

  5.   settings:

  6.     loglevel: low

  7.     ipv6: True

  8.     default_input_policy: 'DROP'

  9.     default_output_policy: 'ACCEPT'

  10.     default_forward_policy: 'DROP'

  11.     default_application_policy: 'SKIP'

  12.     manage_builtins: False

  13.     ipt_sysctl: '/etc/ufw/sysctl.conf'

  14.     ipt_modules:

  15.       - nf_conntrack_ftp

  16.       - nf_nat_ftp

  17.       - nf_conntrack_netbios_ns

  18. 

  19.   sysctl:

  20.     forwarding: 1

  21.     rp_filter: 1

  22.     accept_source_route: 0

  23.     accept_redirects: 0

  24.     icmp_echo_ignore_broadcasts: 1

  25.     icmp_ignore_bogus_error_responses: 1

  26.     icmp_echo_ignore_all: 0

  27.     log_martians: 0

  28.     tcp_syncookies: 0

  29.     tcp_sack: 1

  30.     ipv6_autoconf: 1

  31.     use_tempaddr: 1

  32. 

  33.   services:

  34. 

  35.     # Allow 80/tcp (http) traffic from only two remote addresses.

  36.     http:

  37.       protocol: tcp

  38.       from_addr:

  39.         - 10.0.2.15

  40.         - 10.0.2.16

  41.       comment: Upstream loadbalancers

  42. 

  43.     # Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip.

  44.     https:

  45.       protocol: tcp

  46.       from_addr:

  47.         - 10.0.0.0/8

  48.       to_addr: 10.0.2.1

  49.       comment: Intraweb portal

  50. 

  51.     # Allow from a service port.

  52.     smtp:

  53.       protocol: tcp

  54.       comment: Mail relay

  55. 

  56.     # Allow from a specific port, by number.

  57.     139:

  58.       protocol: tcp

  59.       comment: Netbios

  60. 

  61.     # Deny from a specific port, by number.

  62.     140:

  63.       protocol: tcp

  64.       deny: True

  65. 

  66.     # Deny everything from a specific ip address

  67.     '*':

  68.       protocol: tcp

  69.       deny: True

  70.       from_addr: 10.0.0.1

  71. 

  72.     # Deny everything from a multiple ip addresses

  73.     '*':

  74.       protocol: tcp

  75.       deny: True

  76.       from_addr:

  77.         - 10.0.0.2

  78.         - 10.0.0.3

  79. 

  80.     # Limit a specific port, by number.

  81.     170:

  82.       limit: True

  83.       protocol: tcp

  84.       comment: Print service

  85. 

  86.     # Allow from a range of ports, udp.

  87.     "10000:20000":

  88.       protocol: udp

  89.       comment: We need ports, lots of ports

  90. 

  91.     # Allow from two specific ports, udp.

  92.     "30000,40000":

  93.       protocol: udp

  94.       comment: Game server and admin

  95. 

  96.   # Allow applications defined at /etc/ufw/applications.d/

  97.   applications:

  98.     OpenSSH:

  99.       enabled: True

  100.       comment: We are using fail2ban anyway

  101. 

  102.     # Limit access to salt master

  103.     Saltmaster:

  104.       limit: True

  105. 

  106.     # Deny access to Postgresql

  107.     Postgresql:

  108.       deny: True

  109. 

  110.   # Allow all traffic in on the specified interface

  111.   interfaces:

  112.     eth1:

  113.       comment: Honey pot