salt
/
firewalld-formula
forked from ExternalMirrors/firewalld-formula
Watch 2
Star 0
Fork 0
Code Releases 2 Activity
Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
Tree: baa2afab61
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'baa2afab61'
${ noResults }
firewalld-formula/firewalld/_zone.sls

141 lines
4.6KB
Raw Blame History 

  1. # == State: firewalld._zone

  2. #

  3. # This state ensures that /etc/firewalld/zones/ exists.

  4. #

  5. /etc/firewalld/zones:

  6.   file.directory:            # make sure this is a directory

  7.     - user: root

  8.     - group: root

  9.     - mode: 750

  10.     - require:

  11.       - pkg: firewalld       # make sure package is installed

  12.     - watch_in:

  13.       - service: firewalld   # restart service

  14.       

  15. 

  16. # == Define: firewalld._zone

  17. #

  18. # This defines a zone configuration, see firewalld.zone (5) man page.

  19. #

  20. {% for k, v in salt['pillar.get']('firewalld:zones', {}).items() %}

  21. {% set z_name = v.name|default(k) %}

  22. 

  23. /etc/firewalld/zones/{{ z_name }}.xml:

  24.   file:

  25.     - managed

  26.     - name: /etc/firewalld/zones/{{ z_name }}.xml

  27.     - user: root

  28.     - group: root

  29.     - mode: 644

  30.     - source: salt://firewalld/files/zone.xml

  31.     - template: jinja

  32.     - require:

  33.       - pkg: firewalld       # make sure package is installed

  34.     - watch_in: 

  35.       - service: firewalld   # restart service

  36.     - context:

  37.         name: {{ z_name }}

  38.         zone: {{ v }}

  39. 

  40. {% endfor %}

  41. 

  42. 

  43. 

  44. # === Parameters

  45. #

  46. # [*target*]		can be one of {'ACCEPT', '%%REJECT%%', 'DROP'}.

  47. #			Used to accept, reject or drop every packet that

  48. #			doesn't match any rule (port, service, etc.).

  49. #			Default (when target is not specified) is reject.

  50. # [*short*]		short readable name

  51. # [*description*]	long description of zone

  52. # [*interfaces*]	list of interfaces to bind to a zone

  53. # [*sources*]		list of source addresses or source address

  54. #			ranges ("address/mask") to bind to a zone

  55. # [*ports*]

  56. #   list of ports to open

  57. #	ports  => [{

  58. #		comment  => optional, string

  59. #		port     => mandatory, string, e.g. '1234'

  60. #		protocol => mandatory, string, e.g. 'tcp' },...]

  61. # [*services*]		list of predefined firewalld services

  62. # [*icmp_blocks*]	list of predefined icmp-types to block

  63. # [*masquerade*]	enable masquerading ?

  64. # [*forward_ports*]

  65. #   list of ports to forward to other port and/or machine

  66. #	forward_ports  => [{

  67. #		comment  => optional, string

  68. #		portid   => mandatory, string, e.g. '123'

  69. #		protocol => mandatory, string, e.g. 'tcp'

  70. #		to_port  => mandatory to specify either to_port or/and to_addr

  71. #		to_addr  => mandatory to specify either to_port or/and to_addr },...]

  72. # [*rich_rules*]

  73. #   list of rich language rules (firewalld.richlanguage(5))

  74. #	You have to specify one (and only one)

  75. #	of {service, port, protocol, icmp_block, masquerade, forward_port}

  76. #	and one (and only one) of {accept, reject, drop}

  77. #	family - 'ipv4' or 'ipv6', optional, see Rule in firewalld.richlanguage(5)

  78. #	source  => {  optional, see Source in firewalld.richlanguage(5)

  79. #		address  => mandatory, string, e.g. '192.168.1.0/24'

  80. #		invert   => optional, bool, e.g. true }

  81. #	destination => { optional, see Destination in firewalld.richlanguage(5)

  82. #		address => mandatory, string

  83. #		invert  => optional, bool, e.g. true }

  84. #	service - string, see Service in firewalld.richlanguage(5)

  85. #	port => { see Port in firewalld.richlanguage(5)

  86. #		portid   => mandatory

  87. #			protocol => mandatory }

  88. #	protocol - string, see Protocol in firewalld.richlanguage(5)

  89. #	icmp_block - string, see ICMP-Block in firewalld.richlanguage(5)

  90. #	masquerade - bool, see Masquerade in firewalld.richlanguage(5)

  91. #	forward_port => { see Forward-Port in firewalld.richlanguage(5)

  92. #		portid   => mandatory

  93. #		protocol => mandatory

  94. #		to_port  => mandatory to specify either to_port or/and to_addr

  95. #		to_addr  => mandatory to specify either to_port or/and to_addr }

  96. #	log => {   see Log in firewalld.richlanguage(5)

  97. #		prefix => string, optional

  98. #		level  => string, optional

  99. #		limit  => string, optional }

  100. #	audit => {  see Audit in firewalld.richlanguage(5)

  101. #		limit => string, optional }

  102. #	accept - any value, e.g. true, see Action in firewalld.richlanguage(5)

  103. #	reject => { see Action in firewalld.richlanguage(5)

  104. #		type => string, optional }

  105. #	drop - any value, e.g. true, see Action in firewalld.richlanguage(5)

  106. #

  107. # === Examples

  108. #

  109. #  firewalld::zone { "custom":

  110. #	description	=> "This is an example zone",

  111. #	services	=> ["ssh", "dhcpv6-client"],

  112. #	ports		=> [{

  113. #			comment		=> "for our dummy service",

  114. #			port		=> "1234",

  115. #			protocol	=> "tcp",},],

  116. #	masquerade	=> true,

  117. #	forward_ports	=> [{

  118. #			comment		=> 'forward 123 to other machine',

  119. #			portid		=> '123',

  120. #			protocol	=> 'tcp',

  121. #			to_port		=> '321',

  122. #			to_addr		=> '1.2.3.4',},],

  123. #	rich_rules	=> [{

  124. #			family		=> 'ipv4',

  125. #			source		=> {

  126. #				address		=> '192.168.1.0/24',

  127. #				invert		=> true,},

  128. #			port		=> {

  129. #				portid		=> '123-321',

  130. #				protocol	=> 'udp',},

  131. #			log		=> {

  132. #				prefix		=> 'local',

  133. #				level		=> 'notice',

  134. #				limit		=> '3/s',},

  135. #			audit		=> {

  136. #				limit		=> '2/h',},

  137. #			reject		=> {

  138. #				type		=> 'icmp-host-prohibited',},

  139. #			},],}

  140. #