|
- # FirewallD pillar examples:
- firewalld:
- enabled: True
-
- ipset:
- manage: True
- pkg: ipset
-
- # ipset: # Deprecated. Support for this format will be removed in future releases
- # ipsetpackag: ipset # Deprecated. Will be removed in future releases
-
- backend:
- manage: True
- pkg: nftables
-
- # installbackend: True # Deprecated. Will be removed in future releases
- # backendpackage: nftables # Deprecated. Will be removed in future releases
-
- default_zone: public
-
- services:
- sshcustom:
- short: sshcustom
- description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
- ports:
- tcp:
- - 3232
- - 5252
- modules:
- - some_module_to_load
- destinations:
- ipv4:
- - 224.0.0.251
- - 224.0.0.252
- ipv6:
- - ff02::fb
- - ff02::fc
-
- zabbixcustom:
- short: Zabbixcustom
- description: "zabbix custom rule"
- ports:
- tcp:
- - "10051"
- salt-minion:
- short: salt-minion
- description: "salt-minion"
- ports:
- tcp:
- - "8000"
-
- ipsets:
- fail2ban-ssh:
- short: fail2ban-ssh
- description: fail2ban-ssh ipset
- type: 'hash:ip'
- options:
- maxelem:
- - 65536
- timeout:
- - 300
- hashsize:
- - 1024
- entries:
- - 10.0.0.1
- fail2ban-ssh-ipv6:
- short: fail2ban-ssh-ipv6
- description: fail2ban-ssh-ipv6 ipset
- type: 'hash:ip'
- options:
- family:
- - inet6
- maxelem:
- - 65536
- timeout:
- - 300
- hashsize:
- - 1024
- entries:
- - 2a01::1
-
- zones:
- public:
- short: Public
- description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
- services:
- - http
- - zabbixcustom
- - https
- - ssh
- - salt-minion
- rich_rules:
- - family: ipv4
- source:
- address: 8.8.8.8/24
- accept: true
- - family: ipv4
- ipset:
- name: fail2ban-ssh
- reject:
- type: icmp-port-unreachable
- ports:
- {% if grains['id'] == 'salt.example.com' %}
- - comment: salt-master
- port: 4505
- protocol: tcp
- - comment: salt-python
- port: 4506
- protocol: tcp
- {% endif %}
- - comment: zabbix-agent
- port: 10050
- protocol: tcp
- - comment: bacula-client
- port: 9102
- protocol: tcp
- - comment: vsftpd
- port: 21
- protocol: tcp
-
- direct:
- chain:
- MYCHAIN:
- ipv: ipv4
- table: raw
- rule:
- INTERNETACCESS:
- ipv: ipv4
- table: filter
- chain: FORWARD
- priority: "0"
- args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
- passthrough:
- MYPASSTHROUGH:
- ipv: ipv4
- args: "-t raw -A MYCHAIN -j DROP"
|