salt
/
ufw-formula
forked from ExternalMirrors/ufw-formula
Watch 2
Star 0
Fork 0
Code Releases 8 Activity
Browse Source

Added support for comments in all forms and added in example.

tags/v0.2.0
Mark Gomersbach 7 years ago
parent
c981c52535
commit
feeca63dbd
3 changed files with 38 additions and 10 deletions
Unified View Show Diff Stats
  1. +7
    -3
      _states/ufw.py
  2. +9
    -1
      pillar.example
  3. +22
    -6
      ufw/init.sls

+ 7
- 3
_states/ufw.py View File

return socket.gethostbyname(host) return socket.gethostbyname(host)




def _as_rule(method, app, interface, protocol, from_addr, from_port, to_addr, to_port):
def _as_rule(method, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment):
cmd = [method] cmd = [method]
if app is not None: if app is not None:
cmd.append("from") cmd.append("from")
if to_port is not None: if to_port is not None:
cmd.append("port") cmd.append("port")
cmd.append(to_port) cmd.append(to_port)

if comment is not None:
cmd.append("comment")
cmd.append(comment)
real_cmd = ' '.join(cmd) real_cmd = ' '.join(cmd)
return real_cmd return real_cmd






def allowed(name, app=None, interface=None, protocol=None, def allowed(name, app=None, interface=None, protocol=None,
from_addr=None, from_port=None, to_addr=None, to_port=None):
from_addr=None, from_port=None, to_addr=None, to_port=None, comment=None):


rule = _as_rule("allow", app=app, interface=interface, protocol=protocol, rule = _as_rule("allow", app=app, interface=interface, protocol=protocol,
from_addr=from_addr, from_port=from_port, to_addr=to_addr, to_port=to_port)
from_addr=from_addr, from_port=from_port, to_addr=to_addr, to_port=to_port, comment=comment)


if __opts__['test']: if __opts__['test']:
return _test(name, "{0}: {1}".format(name, rule)) return _test(name, "{0}: {1}".format(name, rule))

+ 9
- 1
pillar.example View File

from_addr: from_addr:
- 10.0.2.15 - 10.0.2.15
- 10.0.2.16 - 10.0.2.16
comment: Upstream loadbalancers


# Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip. # Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip.
https: https:
from_addr: from_addr:
- 10.0.0.0/8 - 10.0.0.0/8
to_addr: 10.0.2.1 to_addr: 10.0.2.1
comment: Intraweb portal


# Allow from a service port. # Allow from a service port.
smtp: smtp:
protocol: tcp protocol: tcp
comment: Mail relay


# Allow from an specific port, by number. # Allow from an specific port, by number.
139: 139:
protocol: tcp protocol: tcp
comment: Netbios


# Allow from a range of ports, udp. # Allow from a range of ports, udp.
"10000:20000": "10000:20000":
protocol: udp protocol: udp
comment: We need ports, lots of ports


# Allow from two specific ports, udp. # Allow from two specific ports, udp.
"30000,40000": "30000,40000":
protocol: udp protocol: udp
comment: Game server and admin


# Allow an application defined at /etc/ufw/applications.d/ # Allow an application defined at /etc/ufw/applications.d/
applications: applications:
OpenSSH: OpenSSH:
enabled: True enabled: True
comment: We are using fail2ban anyway


# Allow all traffic in on the specified interface # Allow all traffic in on the specified interface
interfaces: interfaces:
- eth1
eth1:
comment: Honey pot

+ 22
- 6
ufw/init.sls View File

{%- set protocol = service_details.get('protocol', None) %} {%- set protocol = service_details.get('protocol', None) %}
{%- set from_port = service_details.get('from_port', None) %} {%- set from_port = service_details.get('from_port', None) %}
{%- set to_addr = service_details.get('to_addr', None) %} {%- set to_addr = service_details.get('to_addr', None) %}
{%- set comment = service_details.get('comment', None) %}


ufw-svc-{{service_name}}-{{from_addr}}: ufw-svc-{{service_name}}-{{from_addr}}:
ufw.allowed: ufw.allowed:
{%- if to_addr != None %} {%- if to_addr != None %}
- to_addr: {{to_addr}} - to_addr: {{to_addr}}
{%- endif %} {%- endif %}
{%- if comment != None %}
- comment: '"{{comment}}"'
{%- endif %}
- to_port: "{{service_name}}" - to_port: "{{service_name}}"
- require: - require:
- pkg: ufw - pkg: ufw
{%- for from_addr in app_details.get('from_addr', [None]) %} {%- for from_addr in app_details.get('from_addr', [None]) %}
{%- set to_addr = app_details.get('to_addr', None) %} {%- set to_addr = app_details.get('to_addr', None) %}
{%- set comment = app_details.get('comment', None) %}


{%- if from_addr != None%} {%- if from_addr != None%}
ufw-app-{{app_name}}-{{from_addr}}: ufw-app-{{app_name}}-{{from_addr}}:
{%- if to_addr != None %} {%- if to_addr != None %}
- to_addr: {{to_addr}} - to_addr: {{to_addr}}
{%- endif %} {%- endif %}
{%- if comment != None %}
- comment: '"{{comment}}"'
{%- endif %}
- require: - require:
- pkg: ufw - pkg: ufw
- listen_in: - listen_in:
{%- endfor %} {%- endfor %}
# Interfaces # Interfaces
{%- for interface in ufw.get('interfaces', []) %}
{%- for interface_name, interface_details in ufw.get('interfaces', {}).items() %}
{%- set comment = interface_details.get('comment', None) %}


ufw-interface-{{interface}}:
ufw-interface-{{interface_name}}:
ufw.allowed: ufw.allowed:
- interface: {{interface}}
- interface: {{interface_name}}
{%- if comment != None %}
- comment: '"{{comment}}"'
{%- endif %}
- require: - require:
- pkg: ufw - pkg: ufw
- listen_in: - listen_in:
{%- endfor %} {%- endfor %}


# Open # Open
{%- for from_addr in ufw.get('open', {}).get('from_addr', []) %}
{%- for open_addr, open_details in ufw.get('open', {}).items() %}
{%- set comment = open_details.get('comment', None) %}


ufw-open-{{from_addr}}:
ufw-open-{{open_addr}}:
ufw.allowed: ufw.allowed:
- from_addr: {{from_addr}}
- from_addr: {{open_addr}}
{%- if comment != None %}
- comment: '"{{comment}}"'
{%- endif %}
- require: - require:
- pkg: ufw - pkg: ufw
- listen_in: - listen_in:

Write Preview
Loading…
Cancel
Save