Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

175 lines
4.6KB

  1. # UFW management module
  2. {%- set ufw = pillar.get('ufw', {}) %}
  3. {%- if ufw.get('enabled', False) %}
  4. {% from "ufw/map.jinja" import ufwmap with context %}
  5. {% set default_template = ufw.get('default_template', 'salt://ufw/templates/default.jinja') -%}
  6. {% set sysctl_template = ufw.get('sysctl_template', 'salt://ufw/templates/sysctl.jinja') -%}
  7. {% set settings_cfg = ufw.get('settings', {}) -%}
  8. {% set loglevel = settings_cfg.get('loglevel', 'low') -%}
  9. ufw:
  10. pkg.installed:
  11. - name: {{ ufwmap.pkg }}
  12. service.running:
  13. - enable: True
  14. - watch:
  15. - file: /etc/default/ufw
  16. - file: /etc/ufw/sysctl.conf
  17. /etc/default/ufw:
  18. file.managed:
  19. - template: jinja
  20. - user: root
  21. - group: root
  22. - mode: 644
  23. - source: {{ default_template }}
  24. /etc/ufw/sysctl.conf:
  25. file.managed:
  26. - template: jinja
  27. - user: root
  28. - group: root
  29. - mode: 644
  30. - source: {{ sysctl_template }}
  31. /etc/ufw/applications.d:
  32. file.recurse:
  33. - user: root
  34. - group: root
  35. - file_mode: 644
  36. - clean: False
  37. - source: salt://ufw/files/applications.d
  38. # services
  39. {%- for service_name, service_details in ufw.get('services', {}).items() %}
  40. {%- set from_addr_raw = service_details.get('from_addr', [None]) -%}
  41. {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw -%}
  42. {%- for from_addr in from_addrs %}
  43. {%- set protocol = service_details.get('protocol', None) %}
  44. {%- set deny = service_details.get('deny', None) %}
  45. {%- set limit = service_details.get('limit', None) %}
  46. {%- set method = 'deny' if deny else ('limit' if limit else 'allow') -%}
  47. {%- set from_port = service_details.get('from_port', None) %}
  48. {%- set to_addr = service_details.get('to_addr', None) %}
  49. {%- set comment = service_details.get('comment', None) %}
  50. ufw-svc-{{method}}-{{service_name}}-{{from_addr}}:
  51. ufw.{{method}}:
  52. {%- if protocol != None %}
  53. - protocol: {{protocol}}
  54. {%- endif %}
  55. {%- if from_addr != None %}
  56. - from_addr: {{from_addr}}
  57. {%- endif %}
  58. {%- if from_port != None %}
  59. - from_port: "{{from_port}}"
  60. {%- endif %}
  61. {%- if to_addr != None %}
  62. - to_addr: {{to_addr}}
  63. {%- endif %}
  64. {%- if comment != None %}
  65. - comment: '"{{comment}}"'
  66. {%- endif %}
  67. - to_port: "{{service_name}}"
  68. - require:
  69. - pkg: ufw
  70. - listen_in:
  71. - cmd: reload-ufw
  72. {%- endfor %}
  73. {%- endfor %}
  74. # Applications
  75. {%- for app_name, app_details in ufw.get('applications', {}).items() %}
  76. {%- set from_addr_raw = app_details.get('from_addr', [None]) -%}
  77. {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw -%}
  78. {%- for from_addr in from_addrs %}
  79. {%- set deny = app_details.get('deny', None) %}
  80. {%- set limit = app_details.get('limit', None) %}
  81. {%- set method = 'deny' if deny else ('limit' if limit else 'allow') -%}
  82. {%- set to_addr = app_details.get('to_addr', None) %}
  83. {%- set comment = app_details.get('comment', None) %}
  84. {%- if from_addr != None%}
  85. ufw-app-{{method}}-{{app_name}}-{{from_addr}}:
  86. {%- else %}
  87. ufw-app-{{method}}-{{app_name}}:
  88. {%- endif %}
  89. ufw.{{method}}:
  90. - app: '"{{app_name}}"'
  91. {%- if from_addr != None %}
  92. - from_addr: {{from_addr}}
  93. {%- endif %}
  94. {%- if to_addr != None %}
  95. - to_addr: {{to_addr}}
  96. {%- endif %}
  97. {%- if comment != None %}
  98. - comment: '"{{comment}}"'
  99. {%- endif %}
  100. - require:
  101. - pkg: ufw
  102. - listen_in:
  103. - cmd: reload-ufw
  104. {%- endfor %}
  105. {%- endfor %}
  106. # Interfaces
  107. {%- for interface_name, interface_details in ufw.get('interfaces', {}).items() %}
  108. {%- set comment = interface_details.get('comment', None) %}
  109. ufw-interface-{{interface_name}}:
  110. ufw.allowed:
  111. - interface: {{interface_name}}
  112. {%- if comment != None %}
  113. - comment: '"{{comment}}"'
  114. {%- endif %}
  115. - require:
  116. - pkg: ufw
  117. - listen_in:
  118. - cmd: reload-ufw
  119. {%- endfor %}
  120. # Open
  121. {%- for open_addr, open_details in ufw.get('open', {}).items() %}
  122. {%- set comment = open_details.get('comment', None) %}
  123. ufw-open-{{open_addr}}:
  124. ufw.allowed:
  125. - from_addr: {{open_addr}}
  126. {%- if comment != None %}
  127. - comment: '"{{comment}}"'
  128. {%- endif %}
  129. - require:
  130. - pkg: ufw
  131. - listen_in:
  132. - cmd: reload-ufw
  133. {%- endfor %}
  134. enable-ufw:
  135. ufw.enabled:
  136. - require:
  137. - pkg: ufw
  138. reload-ufw:
  139. cmd.wait:
  140. - name: ufw reload
  141. set-logging:
  142. cmd.run:
  143. - name: ufw logging {{ loglevel }}
  144. - unless: "grep 'LOGLEVEL={{ loglevel }}' /etc/ufw/ufw.conf"
  145. {% else %}
  146. #ufw:
  147. #ufw:
  148. #- disabled
  149. {% endif %}