Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

137 lines
3.3KB

  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. ipset:
  5. manage: True
  6. pkg: ipset
  7. # ipset: # Deprecated. Support for this format will be removed in future releases
  8. # ipsetpackag: ipset # Deprecated. Will be removed in future releases
  9. backend:
  10. manage: True
  11. pkg: nftables
  12. # installbackend: True # Deprecated. Will be removed in future releases
  13. # backendpackage: nftables # Deprecated. Will be removed in future releases
  14. default_zone: public
  15. services:
  16. sshcustom:
  17. short: sshcustom
  18. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  19. ports:
  20. tcp:
  21. - 3232
  22. - 5252
  23. modules:
  24. - some_module_to_load
  25. destinations:
  26. ipv4:
  27. - 224.0.0.251
  28. - 224.0.0.252
  29. ipv6:
  30. - ff02::fb
  31. - ff02::fc
  32. zabbixcustom:
  33. short: Zabbixcustom
  34. description: "zabbix custom rule"
  35. ports:
  36. tcp:
  37. - "10051"
  38. salt-minion:
  39. short: salt-minion
  40. description: "salt-minion"
  41. ports:
  42. tcp:
  43. - "8000"
  44. ipsets:
  45. fail2ban-ssh:
  46. short: fail2ban-ssh
  47. description: fail2ban-ssh ipset
  48. type: 'hash:ip'
  49. options:
  50. maxelem:
  51. - 65536
  52. timeout:
  53. - 300
  54. hashsize:
  55. - 1024
  56. entries:
  57. - 10.0.0.1
  58. fail2ban-ssh-ipv6:
  59. short: fail2ban-ssh-ipv6
  60. description: fail2ban-ssh-ipv6 ipset
  61. type: 'hash:ip'
  62. options:
  63. family:
  64. - inet6
  65. maxelem:
  66. - 65536
  67. timeout:
  68. - 300
  69. hashsize:
  70. - 1024
  71. entries:
  72. - 2a01::1
  73. zones:
  74. public:
  75. short: Public
  76. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  77. services:
  78. - http
  79. - zabbixcustom
  80. - https
  81. - ssh
  82. - salt-minion
  83. rich_rules:
  84. - family: ipv4
  85. source:
  86. address: 8.8.8.8/24
  87. accept: true
  88. - family: ipv4
  89. ipset:
  90. name: fail2ban-ssh
  91. reject:
  92. type: icmp-port-unreachable
  93. ports:
  94. {% if grains['id'] == 'salt.example.com' %}
  95. - comment: salt-master
  96. port: 4505
  97. protocol: tcp
  98. - comment: salt-python
  99. port: 4506
  100. protocol: tcp
  101. {% endif %}
  102. - comment: zabbix-agent
  103. port: 10050
  104. protocol: tcp
  105. - comment: bacula-client
  106. port: 9102
  107. protocol: tcp
  108. - comment: vsftpd
  109. port: 21
  110. protocol: tcp
  111. direct:
  112. chain:
  113. MYCHAIN:
  114. ipv: ipv4
  115. table: raw
  116. rule:
  117. INTERNETACCESS:
  118. ipv: ipv4
  119. table: filter
  120. chain: FORWARD
  121. priority: "0"
  122. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  123. passthrough:
  124. MYPASSTHROUGH:
  125. ipv: ipv4
  126. args: "-t raw -A MYCHAIN -j DROP"