Mark Gomersbach
7 jaren geleden
3 gewijzigde bestanden met toevoegingen van 38 en 10 verwijderingen
+ 7
- 3
_states/ufw.py
Bestand weergeven
| @@ -27,7 +27,7 @@ def _resolve(host): | |||
| return socket.gethostbyname(host) | |||
| def _as_rule(method, app, interface, protocol, from_addr, from_port, to_addr, to_port): | |||
| def _as_rule(method, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment): | |||
| cmd = [method] | |||
| if app is not None: | |||
| cmd.append("from") | |||
| @@ -72,6 +72,10 @@ def _as_rule(method, app, interface, protocol, from_addr, from_port, to_addr, to | |||
| if to_port is not None: | |||
| cmd.append("port") | |||
| cmd.append(to_port) | |||
| if comment is not None: | |||
| cmd.append("comment") | |||
| cmd.append(comment) | |||
| real_cmd = ' '.join(cmd) | |||
| return real_cmd | |||
| @@ -134,10 +138,10 @@ def default_outgoing(name, default): | |||
| def allowed(name, app=None, interface=None, protocol=None, | |||
| from_addr=None, from_port=None, to_addr=None, to_port=None): | |||
| from_addr=None, from_port=None, to_addr=None, to_port=None, comment=None): | |||
| rule = _as_rule("allow", app=app, interface=interface, protocol=protocol, | |||
| from_addr=from_addr, from_port=from_port, to_addr=to_addr, to_port=to_port) | |||
| from_addr=from_addr, from_port=from_port, to_addr=to_addr, to_port=to_port, comment=comment) | |||
| if __opts__['test']: | |||
| return _test(name, "{0}: {1}".format(name, rule)) | |||
+ 9
- 1
pillar.example
Bestand weergeven
| @@ -37,6 +37,7 @@ ufw: | |||
| from_addr: | |||
| - 10.0.2.15 | |||
| - 10.0.2.16 | |||
| comment: Upstream loadbalancers | |||
| # Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip. | |||
| https: | |||
| @@ -44,28 +45,35 @@ ufw: | |||
| from_addr: | |||
| - 10.0.0.0/8 | |||
| to_addr: 10.0.2.1 | |||
| comment: Intraweb portal | |||
| # Allow from a service port. | |||
| smtp: | |||
| protocol: tcp | |||
| comment: Mail relay | |||
| # Allow from an specific port, by number. | |||
| 139: | |||
| protocol: tcp | |||
| comment: Netbios | |||
| # Allow from a range of ports, udp. | |||
| "10000:20000": | |||
| protocol: udp | |||
| comment: We need ports, lots of ports | |||
| # Allow from two specific ports, udp. | |||
| "30000,40000": | |||
| protocol: udp | |||
| comment: Game server and admin | |||
| # Allow an application defined at /etc/ufw/applications.d/ | |||
| applications: | |||
| OpenSSH: | |||
| enabled: True | |||
| comment: We are using fail2ban anyway | |||
| # Allow all traffic in on the specified interface | |||
| interfaces: | |||
| - eth1 | |||
| eth1: | |||
| comment: Honey pot | |||
+ 22
- 6
ufw/init.sls
Bestand weergeven
| @@ -46,6 +46,7 @@ ufw: | |||
| {%- set protocol = service_details.get('protocol', None) %} | |||
| {%- set from_port = service_details.get('from_port', None) %} | |||
| {%- set to_addr = service_details.get('to_addr', None) %} | |||
| {%- set comment = service_details.get('comment', None) %} | |||
| ufw-svc-{{service_name}}-{{from_addr}}: | |||
| ufw.allowed: | |||
| @@ -61,6 +62,9 @@ ufw-svc-{{service_name}}-{{from_addr}}: | |||
| {%- if to_addr != None %} | |||
| - to_addr: {{to_addr}} | |||
| {%- endif %} | |||
| {%- if comment != None %} | |||
| - comment: '"{{comment}}"' | |||
| {%- endif %} | |||
| - to_port: "{{service_name}}" | |||
| - require: | |||
| - pkg: ufw | |||
| @@ -76,6 +80,7 @@ ufw-svc-{{service_name}}-{{from_addr}}: | |||
| {%- for from_addr in app_details.get('from_addr', [None]) %} | |||
| {%- set to_addr = app_details.get('to_addr', None) %} | |||
| {%- set comment = app_details.get('comment', None) %} | |||
| {%- if from_addr != None%} | |||
| ufw-app-{{app_name}}-{{from_addr}}: | |||
| @@ -90,6 +95,9 @@ ufw-app-{{app_name}}: | |||
| {%- if to_addr != None %} | |||
| - to_addr: {{to_addr}} | |||
| {%- endif %} | |||
| {%- if comment != None %} | |||
| - comment: '"{{comment}}"' | |||
| {%- endif %} | |||
| - require: | |||
| - pkg: ufw | |||
| - listen_in: | |||
| @@ -99,11 +107,15 @@ ufw-app-{{app_name}}: | |||
| {%- endfor %} | |||
| # Interfaces | |||
| {%- for interface in ufw.get('interfaces', []) %} | |||
| {%- for interface_name, interface_details in ufw.get('interfaces', {}).items() %} | |||
| {%- set comment = interface_details.get('comment', None) %} | |||
| ufw-interface-{{interface}}: | |||
| ufw-interface-{{interface_name}}: | |||
| ufw.allowed: | |||
| - interface: {{interface}} | |||
| - interface: {{interface_name}} | |||
| {%- if comment != None %} | |||
| - comment: '"{{comment}}"' | |||
| {%- endif %} | |||
| - require: | |||
| - pkg: ufw | |||
| - listen_in: | |||
| @@ -112,11 +124,15 @@ ufw-interface-{{interface}}: | |||
| {%- endfor %} | |||
| # Open | |||
| {%- for from_addr in ufw.get('open', {}).get('from_addr', []) %} | |||
| {%- for open_addr, open_details in ufw.get('open', {}).items() %} | |||
| {%- set comment = open_details.get('comment', None) %} | |||
| ufw-open-{{from_addr}}: | |||
| ufw-open-{{open_addr}}: | |||
| ufw.allowed: | |||
| - from_addr: {{from_addr}} | |||
| - from_addr: {{open_addr}} | |||
| {%- if comment != None %} | |||
| - comment: '"{{comment}}"' | |||
| {%- endif %} | |||
| - require: | |||
| - pkg: ufw | |||
| - listen_in: | |||
Laden…