Saltstack Official FirewallD Formula
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.

pillar.example 3.3KB

pirms 10 gadiem
pirms 10 gadiem
pirms 10 gadiem
pirms 10 gadiem
pirms 10 gadiem
pirms 10 gadiem
pirms 10 gadiem
pirms 10 gadiem
pirms 10 gadiem
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136
  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. ipset:
  5. manage: True
  6. pkg: ipset
  7. # ipset: # Deprecated. Support for this format will be removed in future releases
  8. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  9. backend:
  10. manage: True
  11. pkg: nftables
  12. # installbackend: True # Deprecated. Will be removed in future releases
  13. # backendpackage: nftables # Deprecated. Will be removed in future releases
  14. default_zone: public
  15. services:
  16. sshcustom:
  17. short: sshcustom
  18. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  19. ports:
  20. tcp:
  21. - 3232
  22. - 5252
  23. modules:
  24. - some_module_to_load
  25. destinations:
  26. ipv4:
  27. - 224.0.0.251
  28. - 224.0.0.252
  29. ipv6:
  30. - ff02::fb
  31. - ff02::fc
  32. zabbixcustom:
  33. short: Zabbixcustom
  34. description: "zabbix custom rule"
  35. ports:
  36. tcp:
  37. - "10051"
  38. salt-minion:
  39. short: salt-minion
  40. description: "salt-minion"
  41. ports:
  42. tcp:
  43. - "8000"
  44. ipsets:
  45. fail2ban-ssh:
  46. short: fail2ban-ssh
  47. description: fail2ban-ssh ipset
  48. type: 'hash:ip'
  49. options:
  50. maxelem:
  51. - 65536
  52. timeout:
  53. - 300
  54. hashsize:
  55. - 1024
  56. entries:
  57. - 10.0.0.1
  58. fail2ban-ssh-ipv6:
  59. short: fail2ban-ssh-ipv6
  60. description: fail2ban-ssh-ipv6 ipset
  61. type: 'hash:ip'
  62. options:
  63. family:
  64. - inet6
  65. maxelem:
  66. - 65536
  67. timeout:
  68. - 300
  69. hashsize:
  70. - 1024
  71. entries:
  72. - 2a01::1
  73. zones:
  74. public:
  75. short: Public
  76. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  77. services:
  78. - http
  79. - zabbixcustom
  80. - https
  81. - ssh
  82. - salt-minion
  83. rich_rules:
  84. - family: ipv4
  85. source:
  86. address: 8.8.8.8/24
  87. accept: true
  88. - family: ipv4
  89. ipset:
  90. name: fail2ban-ssh
  91. reject:
  92. type: icmp-port-unreachable
  93. ports:
  94. {% if grains['id'] == 'salt.example.com' %}
  95. - comment: salt-master
  96. port: 4505
  97. protocol: tcp
  98. - comment: salt-python
  99. port: 4506
  100. protocol: tcp
  101. {% endif %}
  102. - comment: zabbix-agent
  103. port: 10050
  104. protocol: tcp
  105. - comment: bacula-client
  106. port: 9102
  107. protocol: tcp
  108. - comment: vsftpd
  109. port: 21
  110. protocol: tcp
  111. direct:
  112. chain:
  113. MYCHAIN:
  114. ipv: ipv4
  115. table: raw
  116. rule:
  117. INTERNETACCESS:
  118. ipv: ipv4
  119. table: filter
  120. chain: FORWARD
  121. priority: "0"
  122. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  123. passthrough:
  124. MYPASSTHROUGH:
  125. ipv: ipv4
  126. args: "-t raw -A MYCHAIN -j DROP"