salt
/
firewalld-formula
форк від ExternalMirrors/firewalld-formula


			
				
					
						
						
							
							# FirewallD pillar examples:
firewalld:
  enabled: True

  ipset:
    manage: True
    pkg: ipset

  # ipset:                          # Deprecated. Support for this format will be removed in future releases
  # ipsetpackag: ipset              # Deprecated. Will be removed in future releases

  backend:
    manage: True
    pkg: nftables

  # installbackend: True            # Deprecated. Will be removed in future releases
  # backendpackage: nftables        # Deprecated. Will be removed in future releases

  default_zone: public

  services:
    sshcustom:
      short: sshcustom
      description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
      ports:
        tcp:
          - 3232
          - 5252
      modules:
        - some_module_to_load
      destinations:
        ipv4:
          - 224.0.0.251
          - 224.0.0.252
        ipv6:
          - ff02::fb
          - ff02::fc

    zabbixcustom:
      short: Zabbixcustom
      description: "zabbix custom rule"
      ports:
        tcp:
          - "10051"
    salt-minion:
      short: salt-minion
      description: "salt-minion"
      ports:
        tcp:
          - "8000"

  ipsets:
    fail2ban-ssh:
      short: fail2ban-ssh
      description: fail2ban-ssh ipset
      type: 'hash:ip'
      options:
        maxelem:
          - 65536
        timeout:
          - 300
        hashsize:
          - 1024
      entries:
        - 10.0.0.1

  zones:
    public:
      short: Public
      description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
      services:
        - http
        - zabbixcustom
        - https
        - ssh
        - salt-minion
      rich_rules:
        - family: ipv4
          source:
              address: 8.8.8.8/24
          accept: true
        - family: ipv4
          ipset:
            name: fail2ban-ssh
          reject:
            type: icmp-port-unreachable
      ports:
{% if grains['id'] == 'salt.example.com' %}
        - comment: salt-master
          port: 4505
          protocol: tcp
        - comment: salt-python
          port: 4506
          protocol: tcp
{% endif %}
        - comment: zabbix-agent
          port: 10050
          protocol: tcp
        - comment: bacula-client
          port: 9102
          protocol: tcp
        - comment: vsftpd
          port: 21
          protocol: tcp

  direct:
    chain:
      MYCHAIN:
        ipv: ipv4
        table: raw
    rule:
      INTERNETACCESS:
        ipv: ipv4
        table: filter
        chain: FORWARD
        priority: "0"
        args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
    passthrough:
      MYPASSTHROUGH:
        ipv: ipv4
        args: "-t raw -A MYCHAIN -j DROP"