Saltstack Official FirewallD Formula

pillar.example 2.6KB

10 år sedan
10 år sedan
10 år sedan
10 år sedan
10 år sedan
10 år sedan
10 år sedan
10 år sedan
10 år sedan
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. ipset: True
  5. installbackend: False
  6. default_zone: public
  7. services:
  8. sshcustom:
  9. short: sshcustom
  10. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  11. ports:
  12. tcp:
  13. - 3232
  14. - 5252
  15. modules:
  16. - some_module_to_load
  17. destinations:
  18. ipv4:
  19. - 224.0.0.251
  20. - 224.0.0.252
  21. ipv6:
  22. - ff02::fb
  23. - ff02::fc
  24. zabbixcustom:
  25. short: Zabbixcustom
  26. description: "zabbix custom rule"
  27. ports:
  28. tcp:
  29. - "10051"
  30. salt-minion:
  31. short: salt-minion
  32. description: "salt-minion"
  33. ports:
  34. tcp:
  35. - "8000"
  36. ipsets:
  37. fail2ban-ssh:
  38. short: fail2ban-ssh
  39. description: fail2ban-ssh ipset
  40. type: 'hash:ip'
  41. options:
  42. maxelem:
  43. - 65536
  44. timeout:
  45. - 300
  46. hashsize:
  47. - 1024
  48. entries:
  49. - 10.0.0.1
  50. zones:
  51. public:
  52. short: Public
  53. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  54. services:
  55. - http
  56. - zabbixcustom
  57. - https
  58. - ssh
  59. - salt-minion
  60. rich_rules:
  61. - family: ipv4
  62. source:
  63. address: 8.8.8.8/24
  64. accept: true
  65. - family: ipv4
  66. ipset:
  67. name: fail2ban-ssh
  68. reject:
  69. type: icmp-port-unreachable
  70. ports:
  71. {% if grains['id'] == 'salt.example.com' %}
  72. - comment: salt-master
  73. port: 4505
  74. protocol: tcp
  75. - comment: salt-python
  76. port: 4506
  77. protocol: tcp
  78. {% endif %}
  79. - comment: zabbix-agent
  80. port: 10050
  81. protocol: tcp
  82. - comment: bacula-client
  83. port: 9102
  84. protocol: tcp
  85. - comment: vsftpd
  86. port: 21
  87. protocol: tcp
  88. direct:
  89. chain:
  90. MYCHAIN:
  91. ipv: ipv4
  92. table: raw
  93. rule:
  94. INTERNETACCESS:
  95. ipv: ipv4
  96. table: filter
  97. chain: FORWARD
  98. priority: "0"
  99. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  100. passthrough:
  101. MYPASSTHROUGH:
  102. ipv: ipv4
  103. args: "-t raw -A MYCHAIN -j DROP"