salt
/
firewalld-formula
複製自 ExternalMirrors/firewalld-formula
關注 2
收藏 0
複製 0
程式碼 版本發佈 2 活動
Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
52 提交
1 分支
目錄樹: d3928d1be0
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 'd3928d1be0'
${ noResults }
firewalld-formula/pillar.example

113 line
2.7KB
原始文件 Blame 歷史記錄 

  1. # FirewallD pillar examples:

  2. firewalld:

  3.   enabled: True

  4.   ipset:

  5.     manage: True

  6.     pkg: ipset

  7. 

  8.   installbackend: False

  9.   default_zone: public

  10. 

  11.   services:

  12.     sshcustom:

  13.       short: sshcustom

  14.       description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.

  15.       ports:

  16.         tcp:

  17.           - 3232

  18.           - 5252

  19.       modules:

  20.         - some_module_to_load

  21.       destinations:

  22.         ipv4:

  23.           - 224.0.0.251

  24.           - 224.0.0.252

  25.         ipv6:

  26.           - ff02::fb

  27.           - ff02::fc

  28. 

  29.     zabbixcustom:

  30.       short: Zabbixcustom

  31.       description: "zabbix custom rule"

  32.       ports:

  33.         tcp:

  34.           - "10051"

  35.     salt-minion:

  36.       short: salt-minion

  37.       description: "salt-minion"

  38.       ports:

  39.         tcp:

  40.           - "8000"

  41. 

  42.   ipsets:

  43.     fail2ban-ssh:

  44.       short: fail2ban-ssh

  45.       description: fail2ban-ssh ipset

  46.       type: 'hash:ip'

  47.       options:

  48.         maxelem:

  49.           - 65536

  50.         timeout:

  51.           - 300

  52.         hashsize:

  53.           - 1024

  54.       entries:

  55.         - 10.0.0.1

  56. 

  57.   zones:

  58.     public:

  59.       short: Public

  60.       description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."

  61.       services:

  62.         - http

  63.         - zabbixcustom

  64.         - https

  65.         - ssh

  66.         - salt-minion

  67.       rich_rules:

  68.         - family: ipv4

  69.           source:

  70.               address: 8.8.8.8/24

  71.           accept: true

  72.         - family: ipv4

  73.           ipset:

  74.             name: fail2ban-ssh

  75.           reject:

  76.             type: icmp-port-unreachable

  77.       ports:

  78. {% if grains['id'] == 'salt.example.com' %}

  79.         - comment: salt-master

  80.           port: 4505

  81.           protocol: tcp

  82.         - comment: salt-python

  83.           port: 4506

  84.           protocol: tcp

  85. {% endif %}

  86.         - comment: zabbix-agent

  87.           port: 10050

  88.           protocol: tcp

  89.         - comment: bacula-client

  90.           port: 9102

  91.           protocol: tcp

  92.         - comment: vsftpd

  93.           port: 21

  94.           protocol: tcp

  95. 

  96.   direct:

  97.     chain:

  98.       MYCHAIN:

  99.         ipv: ipv4

  100.         table: raw

  101.     rule:

  102.       INTERNETACCESS:

  103.         ipv: ipv4

  104.         table: filter

  105.         chain: FORWARD

  106.         priority: "0"

  107.         args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"

  108.     passthrough:

  109.       MYPASSTHROUGH:

  110.         ipv: ipv4

  111.         args: "-t raw -A MYCHAIN -j DROP"