add ipset support for firewalldtags/v0.6.2
@@ -1 +1 @@ | |||
0.1.0 | |||
0.2.0 |
@@ -2,5 +2,6 @@ | |||
# vim: ft=yaml | |||
firewalld: | |||
package: firewalld | |||
ipsetpackage: ipset | |||
service: firewalld | |||
config: /etc/firewalld.conf |
@@ -0,0 +1,31 @@ | |||
<?xml version="1.0" encoding="utf-8"?> | |||
<ipset{%- if 'type' in ipset %} type="{{ ipset.type }}" {%- endif %}> | |||
{%- if 'short' in ipset %} | |||
<short>{{ ipset.short }}</short> | |||
{%- endif %} | |||
{%- if 'description' in ipset %} | |||
<description>{{ ipset.description }}</description> | |||
{%- endif %} | |||
{%- if 'options' in ipset %} | |||
{%- if 'maxelem' in ipset.options %} | |||
{%- for v in ipset.options.maxelem %} | |||
<option name="maxelem" value="{{ v }}"/> | |||
{%- endfor %} | |||
{%- endif %} | |||
{%- if 'timeout' in ipset.options %} | |||
{%- for v in ipset.options.timeout %} | |||
<option name="timeout" value="{{ v }}"/> | |||
{%- endfor %} | |||
{%- endif %} | |||
{%- if 'hashsize' in ipset.options %} | |||
{%- for v in ipset.options.hashsize %} | |||
<option name="hashsize" value="{{ v }}"/> | |||
{%- endfor %} | |||
{%- endif %} | |||
{%- endif %} | |||
{%- if 'entries' in ipset %} | |||
{%- for v in ipset.entries %} | |||
<entry>{{ v }}</entry> | |||
{%- endfor %} | |||
{%- endif %} | |||
</ipset> |
@@ -52,6 +52,9 @@ | |||
{%- else %} | |||
<rule> | |||
{%- endif %} | |||
{%- if 'ipset' in rule %} | |||
<source ipset="{{ rule.ipset.name }}"/> | |||
{%- endif %} | |||
{%- if 'source' in rule %} | |||
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/> | |||
{%- endif %} |
@@ -8,6 +8,7 @@ | |||
{% if salt['pillar.get']('firewalld:enabled') %} | |||
include: | |||
- firewalld.config | |||
- firewalld.ipsets | |||
- firewalld.services | |||
- firewalld.zones | |||
@@ -0,0 +1,48 @@ | |||
# == State: firewalld.ipsets | |||
# | |||
# This state ensures that /etc/firewalld/ipsets/ exists. | |||
# | |||
{% from "firewalld/map.jinja" import firewalld with context %} | |||
{%- if salt['pillar.get']('firewalld:ipset') %} | |||
package_ipset: | |||
pkg.installed: | |||
- name: {{ firewalld.ipsetpackage }} | |||
directory_firewalld_ipsets: | |||
file.directory: # make sure this is a directory | |||
- name: /etc/firewalld/ipsets | |||
- user: root | |||
- group: root | |||
- mode: 750 | |||
- require: | |||
- pkg: package_firewalld # make sure package is installed | |||
- listen_in: | |||
- module: service_firewalld # restart service | |||
# == Define: firewalld.ipsets | |||
# | |||
# This defines a ipset configuration, see firewalld.ipset (5) man page. | |||
# | |||
{% for k, v in salt['pillar.get']('firewalld:ipsets', {}).items() %} | |||
{% set z_name = v.name|default(k) %} | |||
/etc/firewalld/ipsets/{{ z_name }}.xml: | |||
file.managed: | |||
- name: /etc/firewalld/ipsets/{{ z_name }}.xml | |||
- user: root | |||
- group: root | |||
- mode: 644 | |||
- source: salt://firewalld/files/ipset.xml | |||
- template: jinja | |||
- require: | |||
- pkg: package_firewalld # make sure package is installed | |||
- file: directory_firewalld_ipsets | |||
- listen_in: | |||
- module: service_firewalld # restart service | |||
- context: | |||
name: {{ z_name }} | |||
ipset: {{ v }} | |||
{% endfor %} | |||
{%- endif %} |
@@ -1,31 +1,91 @@ | |||
# CentOS7 FirewallD firewall | |||
# FirewallD pillar examples: | |||
firewalld: | |||
enabled: True | |||
ipset: True | |||
default_zone: public | |||
services: | |||
sshcustom: | |||
short: sshcustom | |||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful. | |||
ports: | |||
tcp: | |||
tcp: | |||
- 3232 | |||
- 5252 | |||
modules: | |||
modules: | |||
- some_module_to_load | |||
destinations: | |||
ipv4: | |||
ipv4: | |||
- 224.0.0.251 | |||
- 224.0.0.252 | |||
ipv6: | |||
ipv6: | |||
- ff02::fb | |||
- ff02::fc | |||
zabbixcustom: | |||
short: Zabbixcustom | |||
description: "zabbix custom rule" | |||
ports: | |||
tcp: | |||
- "10051" | |||
salt-minion: | |||
short: salt-minion | |||
description: "salt-minion" | |||
ports: | |||
tcp: | |||
- "8000" | |||
ipsets: | |||
fail2ban-ssh: | |||
short: fail2ban-ssh | |||
description: fail2ban-ssh ipset | |||
type: 'hash:ip' | |||
options: | |||
maxelem: | |||
- 65536 | |||
timeout: | |||
- 300 | |||
hashsize: | |||
- 1024 | |||
entries: | |||
- 10.0.0.1 | |||
zones: | |||
public: | |||
short: Public | |||
description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted." | |||
services: | |||
- http | |||
- zabbixcustom | |||
- https | |||
- ssh | |||
- dhcpv6-client | |||
- salt-minion | |||
rich_rules: | |||
- family: ipv4 | |||
source: | |||
address: 8.8.8.8/24 | |||
accept: true | |||
- family: ipv4 | |||
ipset: | |||
name: fail2ban-ssh | |||
reject: | |||
type: icmp-port-unreachable | |||
ports: | |||
{% if grains['id'] == 'salt.example.com' %} | |||
- comment: salt-master | |||
port: 4505 | |||
protocol: tcp | |||
- comment: salt-python | |||
port: 4506 | |||
protocol: tcp | |||
{% endif %} | |||
- comment: zabbix-agent | |||
port: 10050 | |||
protocol: tcp | |||
- comment: bacula-client | |||
port: 9102 | |||
protocol: tcp | |||
- comment: vsftpd | |||
port: 21 | |||
protocol: tcp |