Saltstack Official FirewallD Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

141 line
4.6KB

  1. # == State: firewalld._zone
  2. #
  3. # This state ensures that /etc/firewalld/zones/ exists.
  4. #
  5. /etc/firewalld/zones:
  6. file.directory: # make sure this is a directory
  7. - user: root
  8. - group: root
  9. - mode: 750
  10. - require:
  11. - pkg: firewalld # make sure package is installed
  12. - watch_in:
  13. - service: firewalld # restart service
  14. # == Define: firewalld._zone
  15. #
  16. # This defines a zone configuration, see firewalld.zone (5) man page.
  17. #
  18. {% for k, v in salt['pillar.get']('firewalld:zones', {}).items() %}
  19. {% set z_name = v.name|default(k) %}
  20. /etc/firewalld/zones/{{ z_name }}.xml:
  21. file:
  22. - managed
  23. - name: /etc/firewalld/zones/{{ z_name }}.xml
  24. - user: root
  25. - group: root
  26. - mode: 644
  27. - source: salt://firewalld/files/zone.xml
  28. - template: jinja
  29. - require:
  30. - pkg: firewalld # make sure package is installed
  31. - watch_in:
  32. - service: firewalld # restart service
  33. - context:
  34. name: {{ z_name }}
  35. zone: {{ v }}
  36. {% endfor %}
  37. # === Parameters
  38. #
  39. # [*target*] can be one of {'ACCEPT', '%%REJECT%%', 'DROP'}.
  40. # Used to accept, reject or drop every packet that
  41. # doesn't match any rule (port, service, etc.).
  42. # Default (when target is not specified) is reject.
  43. # [*short*] short readable name
  44. # [*description*] long description of zone
  45. # [*interfaces*] list of interfaces to bind to a zone
  46. # [*sources*] list of source addresses or source address
  47. # ranges ("address/mask") to bind to a zone
  48. # [*ports*]
  49. # list of ports to open
  50. # ports => [{
  51. # comment => optional, string
  52. # port => mandatory, string, e.g. '1234'
  53. # protocol => mandatory, string, e.g. 'tcp' },...]
  54. # [*services*] list of predefined firewalld services
  55. # [*icmp_blocks*] list of predefined icmp-types to block
  56. # [*masquerade*] enable masquerading ?
  57. # [*forward_ports*]
  58. # list of ports to forward to other port and/or machine
  59. # forward_ports => [{
  60. # comment => optional, string
  61. # portid => mandatory, string, e.g. '123'
  62. # protocol => mandatory, string, e.g. 'tcp'
  63. # to_port => mandatory to specify either to_port or/and to_addr
  64. # to_addr => mandatory to specify either to_port or/and to_addr },...]
  65. # [*rich_rules*]
  66. # list of rich language rules (firewalld.richlanguage(5))
  67. # You have to specify one (and only one)
  68. # of {service, port, protocol, icmp_block, masquerade, forward_port}
  69. # and one (and only one) of {accept, reject, drop}
  70. # family - 'ipv4' or 'ipv6', optional, see Rule in firewalld.richlanguage(5)
  71. # source => { optional, see Source in firewalld.richlanguage(5)
  72. # address => mandatory, string, e.g. '192.168.1.0/24'
  73. # invert => optional, bool, e.g. true }
  74. # destination => { optional, see Destination in firewalld.richlanguage(5)
  75. # address => mandatory, string
  76. # invert => optional, bool, e.g. true }
  77. # service - string, see Service in firewalld.richlanguage(5)
  78. # port => { see Port in firewalld.richlanguage(5)
  79. # portid => mandatory
  80. # protocol => mandatory }
  81. # protocol - string, see Protocol in firewalld.richlanguage(5)
  82. # icmp_block - string, see ICMP-Block in firewalld.richlanguage(5)
  83. # masquerade - bool, see Masquerade in firewalld.richlanguage(5)
  84. # forward_port => { see Forward-Port in firewalld.richlanguage(5)
  85. # portid => mandatory
  86. # protocol => mandatory
  87. # to_port => mandatory to specify either to_port or/and to_addr
  88. # to_addr => mandatory to specify either to_port or/and to_addr }
  89. # log => { see Log in firewalld.richlanguage(5)
  90. # prefix => string, optional
  91. # level => string, optional
  92. # limit => string, optional }
  93. # audit => { see Audit in firewalld.richlanguage(5)
  94. # limit => string, optional }
  95. # accept - any value, e.g. true, see Action in firewalld.richlanguage(5)
  96. # reject => { see Action in firewalld.richlanguage(5)
  97. # type => string, optional }
  98. # drop - any value, e.g. true, see Action in firewalld.richlanguage(5)
  99. #
  100. # === Examples
  101. #
  102. # firewalld::zone { "custom":
  103. # description => "This is an example zone",
  104. # services => ["ssh", "dhcpv6-client"],
  105. # ports => [{
  106. # comment => "for our dummy service",
  107. # port => "1234",
  108. # protocol => "tcp",},],
  109. # masquerade => true,
  110. # forward_ports => [{
  111. # comment => 'forward 123 to other machine',
  112. # portid => '123',
  113. # protocol => 'tcp',
  114. # to_port => '321',
  115. # to_addr => '1.2.3.4',},],
  116. # rich_rules => [{
  117. # family => 'ipv4',
  118. # source => {
  119. # address => '192.168.1.0/24',
  120. # invert => true,},
  121. # port => {
  122. # portid => '123-321',
  123. # protocol => 'udp',},
  124. # log => {
  125. # prefix => 'local',
  126. # level => 'notice',
  127. # limit => '3/s',},
  128. # audit => {
  129. # limit => '2/h',},
  130. # reject => {
  131. # type => 'icmp-host-prohibited',},
  132. # },],}
  133. #