Saltstack Official FirewallD Formula
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.

111 lines
2.6KB

  1. # FirewallD pillar examples:
  2. firewalld:
  3. enabled: True
  4. ipset: True
  5. installbackend: False
  6. default_zone: public
  7. services:
  8. sshcustom:
  9. short: sshcustom
  10. description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  11. ports:
  12. tcp:
  13. - 3232
  14. - 5252
  15. modules:
  16. - some_module_to_load
  17. destinations:
  18. ipv4:
  19. - 224.0.0.251
  20. - 224.0.0.252
  21. ipv6:
  22. - ff02::fb
  23. - ff02::fc
  24. zabbixcustom:
  25. short: Zabbixcustom
  26. description: "zabbix custom rule"
  27. ports:
  28. tcp:
  29. - "10051"
  30. salt-minion:
  31. short: salt-minion
  32. description: "salt-minion"
  33. ports:
  34. tcp:
  35. - "8000"
  36. ipsets:
  37. fail2ban-ssh:
  38. short: fail2ban-ssh
  39. description: fail2ban-ssh ipset
  40. type: 'hash:ip'
  41. options:
  42. maxelem:
  43. - 65536
  44. timeout:
  45. - 300
  46. hashsize:
  47. - 1024
  48. entries:
  49. - 10.0.0.1
  50. zones:
  51. public:
  52. short: Public
  53. description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
  54. services:
  55. - http
  56. - zabbixcustom
  57. - https
  58. - ssh
  59. - salt-minion
  60. rich_rules:
  61. - family: ipv4
  62. source:
  63. address: 8.8.8.8/24
  64. accept: true
  65. - family: ipv4
  66. ipset:
  67. name: fail2ban-ssh
  68. reject:
  69. type: icmp-port-unreachable
  70. ports:
  71. {% if grains['id'] == 'salt.example.com' %}
  72. - comment: salt-master
  73. port: 4505
  74. protocol: tcp
  75. - comment: salt-python
  76. port: 4506
  77. protocol: tcp
  78. {% endif %}
  79. - comment: zabbix-agent
  80. port: 10050
  81. protocol: tcp
  82. - comment: bacula-client
  83. port: 9102
  84. protocol: tcp
  85. - comment: vsftpd
  86. port: 21
  87. protocol: tcp
  88. direct:
  89. chain:
  90. MYCHAIN:
  91. ipv: ipv4
  92. table: raw
  93. rule:
  94. INTERNETACCESS:
  95. ipv: ipv4
  96. table: filter
  97. chain: FORWARD
  98. priority: "0"
  99. args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
  100. passthrough:
  101. MYPASSTHROUGH:
  102. ipv: ipv4
  103. args: "-t raw -A MYCHAIN -j DROP"