Saltstack Official FirewallD Formula

pillar.example 3.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. ipset:
  5. manage: True
  6. pkg: ipset
  7. # ipset: # Deprecated. Support for this format will be removed in future releases
  8. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  9. backend:
  10. manage: True
  11. pkg: nftables
  12. # installbackend: True # Deprecated. Will be removed in future releases
  13. # backendpackage: nftables # Deprecated. Will be removed in future releases
  14. default_zone: public
  15. services:
  16. sshcustom:
  17. short: sshcustom
  18. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  19. ports:
  20. tcp:
  21. - 3232
  22. - 5252
  23. modules:
  24. - some_module_to_load
  25. protocols:
  26. - igmp
  27. source_ports:
  28. tcp:
  29. - 21
  30. destinations:
  31. ipv4:
  32. - 224.0.0.251
  33. - 224.0.0.252
  34. ipv6:
  35. - ff02::fb
  36. - ff02::fc
  37. zabbixcustom:
  38. short: Zabbixcustom
  39. description: "zabbix custom rule"
  40. ports:
  41. tcp:
  42. - "10051"
  43. salt-minion:
  44. short: salt-minion
  45. description: "salt-minion"
  46. ports:
  47. tcp:
  48. - "8000"
  49. ipsets:
  50. fail2ban-ssh:
  51. short: fail2ban-ssh
  52. description: fail2ban-ssh ipset
  53. type: 'hash:ip'
  54. options:
  55. maxelem:
  56. - 65536
  57. timeout:
  58. - 300
  59. hashsize:
  60. - 1024
  61. entries:
  62. - 10.0.0.1
  63. fail2ban-ssh-ipv6:
  64. short: fail2ban-ssh-ipv6
  65. description: fail2ban-ssh-ipv6 ipset
  66. type: 'hash:ip'
  67. options:
  68. family:
  69. - inet6
  70. maxelem:
  71. - 65536
  72. timeout:
  73. - 300
  74. hashsize:
  75. - 1024
  76. entries:
  77. - 2a01::1
  78. zones:
  79. public:
  80. short: Public
  81. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  82. services:
  83. - http
  84. - zabbixcustom
  85. - https
  86. - ssh
  87. - salt-minion
  88. protocols:
  89. - igmp
  90. rich_rules:
  91. - family: ipv4
  92. source:
  93. address: 8.8.8.8/24
  94. accept: true
  95. - family: ipv4
  96. ipset:
  97. name: fail2ban-ssh
  98. reject:
  99. type: icmp-port-unreachable
  100. ports:
  101. {% if grains['id'] == 'salt.example.com' %}
  102. - comment: salt-master
  103. port: 4505
  104. protocol: tcp
  105. - comment: salt-python
  106. port: 4506
  107. protocol: tcp
  108. {% endif %}
  109. - comment: zabbix-agent
  110. port: 10050
  111. protocol: tcp
  112. - comment: bacula-client
  113. port: 9102
  114. protocol: tcp
  115. - comment: vsftpd
  116. port: 21
  117. protocol: tcp
  118. source_ports:
  119. - comment: something
  120. port: 2222
  121. protocol: tcp
  122. - comment: something_else
  123. port: 4444
  124. protocol: tcp
  125. direct:
  126. chain:
  127. MYCHAIN:
  128. ipv: ipv4
  129. table: raw
  130. rule:
  131. INTERNETACCESS:
  132. ipv: ipv4
  133. table: filter
  134. chain: FORWARD
  135. priority: "0"
  136. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  137. passthrough:
  138. MYPASSTHROUGH:
  139. ipv: ipv4
  140. args: "-t raw -A MYCHAIN -j DROP"