Saltstack Official FirewallD Formula

pillar.example 2.7KB

před 10 roky
před 10 roky
před 10 roky
před 10 roky
před 10 roky
před 10 roky
před 10 roky
před 10 roky
před 10 roky
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112
  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. ipset:
  5. manage: True
  6. pkg: ipset
  7. installbackend: False
  8. default_zone: public
  9. services:
  10. sshcustom:
  11. short: sshcustom
  12. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  13. ports:
  14. tcp:
  15. - 3232
  16. - 5252
  17. modules:
  18. - some_module_to_load
  19. destinations:
  20. ipv4:
  21. - 224.0.0.251
  22. - 224.0.0.252
  23. ipv6:
  24. - ff02::fb
  25. - ff02::fc
  26. zabbixcustom:
  27. short: Zabbixcustom
  28. description: "zabbix custom rule"
  29. ports:
  30. tcp:
  31. - "10051"
  32. salt-minion:
  33. short: salt-minion
  34. description: "salt-minion"
  35. ports:
  36. tcp:
  37. - "8000"
  38. ipsets:
  39. fail2ban-ssh:
  40. short: fail2ban-ssh
  41. description: fail2ban-ssh ipset
  42. type: 'hash:ip'
  43. options:
  44. maxelem:
  45. - 65536
  46. timeout:
  47. - 300
  48. hashsize:
  49. - 1024
  50. entries:
  51. - 10.0.0.1
  52. zones:
  53. public:
  54. short: Public
  55. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  56. services:
  57. - http
  58. - zabbixcustom
  59. - https
  60. - ssh
  61. - salt-minion
  62. rich_rules:
  63. - family: ipv4
  64. source:
  65. address: 8.8.8.8/24
  66. accept: true
  67. - family: ipv4
  68. ipset:
  69. name: fail2ban-ssh
  70. reject:
  71. type: icmp-port-unreachable
  72. ports:
  73. {% if grains['id'] == 'salt.example.com' %}
  74. - comment: salt-master
  75. port: 4505
  76. protocol: tcp
  77. - comment: salt-python
  78. port: 4506
  79. protocol: tcp
  80. {% endif %}
  81. - comment: zabbix-agent
  82. port: 10050
  83. protocol: tcp
  84. - comment: bacula-client
  85. port: 9102
  86. protocol: tcp
  87. - comment: vsftpd
  88. port: 21
  89. protocol: tcp
  90. direct:
  91. chain:
  92. MYCHAIN:
  93. ipv: ipv4
  94. table: raw
  95. rule:
  96. INTERNETACCESS:
  97. ipv: ipv4
  98. table: filter
  99. chain: FORWARD
  100. priority: "0"
  101. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  102. passthrough:
  103. MYPASSTHROUGH:
  104. ipv: ipv4
  105. args: "-t raw -A MYCHAIN -j DROP"