salt
/
ufw-formula
forked from ExternalMirrors/ufw-formula
Watch 2
Star 0
Fork 0
Code Releases 8 Activity
Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15 Commits
1 Branch
Tree: 6fdd5c2cff
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6fdd5c2cff'
${ noResults }
ufw-formula/ufw/init.sls

147 lines
3.2KB
Raw Blame History 

  1. # UFW management module

  2. {%- set ufw = pillar.get('ufw', {}) %}

  3. {%- if ufw.get('enabled', False) %}

  4. {% from "ufw/map.jinja" import ufwmap with context %}

  5. {% set default_template = ufw.get('default_template', 'salt://ufw/templates/default.jinja') -%}

  6. {% set sysctl_template = ufw.get('sysctl_template', 'salt://ufw/templates/sysctl.jinja') -%}

  7. 

  8. ufw:

  9.   pkg.installed:

  10.     - name: {{ ufwmap.pkg }}

  11.   service.running:

  12.     - enable: True

  13.     - watch:

  14.       - file: /etc/default/ufw

  15.       - file: /etc/ufw/sysctl.conf

  16. 

  17. /etc/default/ufw:

  18.   file.managed:

  19.     - template: jinja

  20.     - user: root

  21.     - group: root

  22.     - mode: 644

  23.     - source: {{ default_template }}

  24. 

  25. /etc/ufw/sysctl.conf:

  26.   file.managed:

  27.     - template: jinja

  28.     - user: root

  29.     - group: root

  30.     - mode: 644

  31.     - source: {{ sysctl_template }}

  32. 

  33. /etc/ufw/applications.d:

  34.   file.recurse:

  35.     - user: root

  36.     - group: root

  37.     - file_mode: 644

  38.     - clean: False

  39.     - source: salt://ufw/files/applications.d

  40. 

  41.   # services

  42.   {%- for service_name, service_details in ufw.get('services', {}).items() %}

  43. 

  44.     {%- for from_addr in service_details.get('from_addr', [None]) %}

  45. 

  46.       {%- set protocol  = service_details.get('protocol', None) %}

  47.       {%- set from_port = service_details.get('from_port', None) %}

  48.       {%- set to_addr   = service_details.get('to_addr', None) %}

  49. 

  50. ufw-svc-{{service_name}}-{{from_addr}}:

  51.   ufw.allowed:

  52.     {%- if protocol != None %}

  53.     - protocol: {{protocol}}

  54.     {%- endif %}

  55.     {%- if from_addr != None %}

  56.     - from_addr: {{from_addr}}

  57.     {%- endif %}

  58.     {%- if from_port != None %}

  59.     - from_port: "{{from_port}}"

  60.     {%- endif %}

  61.     {%- if to_addr != None %}

  62.     - to_addr: {{to_addr}}

  63.     {%- endif %}

  64.     - to_port: "{{service_name}}"

  65.     - require:

  66.       - pkg: ufw

  67.     - listen_in:

  68.       - cmd: reload-ufw

  69. 

  70.     {%- endfor %}

  71. 

  72.   {%- endfor %}

  73. 

  74.   # Applications

  75.   {%- for app_name, app_details in ufw.get('applications', {}).items() %}

  76.     

  77.     {%- for from_addr in app_details.get('from_addr', [None]) %}

  78.       {%- set to_addr = app_details.get('to_addr', None) %}

  79. 

  80. {%- if from_addr != None%}

  81. ufw-app-{{app_name}}-{{from_addr}}:

  82. {%- else %}

  83. ufw-app-{{app_name}}:

  84. {%- endif %}

  85.   ufw.allowed:

  86.     - app: '"{{app_name}}"'

  87.     {%- if from_addr != None %}

  88.     - from_addr: {{from_addr}}

  89.     {%- endif %}

  90.     {%- if to_addr != None %}

  91.     - to_addr: {{to_addr}}

  92.     {%- endif %}

  93.     - require:

  94.       - pkg: ufw

  95.     - listen_in:

  96.       - cmd: reload-ufw

  97. 

  98.     {%- endfor %}

  99.   {%- endfor %}

  100.   

  101.   # Interfaces

  102.   {%- for interface in ufw.get('interfaces', []) %}

  103. 

  104. ufw-interface-{{interface}}:

  105.   ufw.allowed:

  106.     - interface: {{interface}}

  107.     - require:

  108.       - pkg: ufw

  109.     - listen_in:

  110.       - cmd: reload-ufw

  111. 

  112.   {%- endfor %}

  113. 

  114.   # Open

  115.   {%- for from_addr in ufw.get('open', {}).get('from_addr', []) %}

  116. 

  117. ufw-open-{{from_addr}}:

  118.   ufw.allowed:

  119.     - from_addr: {{from_addr}}

  120.     - require:

  121.       - pkg: ufw

  122.     - listen_in:

  123.       - cmd: reload-ufw

  124. 

  125.   {%- endfor %}

  126. 

  127. enable-ufw:

  128.   ufw.enabled:

  129.     - require:

  130.       - pkg: ufw

  131. 

  132. reload-ufw:

  133.   cmd.wait:

  134.     - name: ufw reload

  135. 

  136. disable-logging:

  137.   cmd.run:

  138.     - name: ufw logging off

  139.     - unless: "grep 'LOGLEVEL=off' /etc/ufw/ufw.conf"

  140. 

  141. 

  142. {% else %}

  143.   #ufw:

  144.     #ufw:

  145.       #- disabled

  146. {% endif %}