salt
/
ufw-formula
forked from ExternalMirrors/ufw-formula
Watch 2
Star 0
Fork 0
Code Releases 8 Activity
Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 Commits
1 Branch
Tree: f25b404114
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f25b404114'
${ noResults }
ufw-formula/ufw/init.sls

176 lines
4.6KB
Raw Blame History 

  1. # UFW management module

  2. {%- set ufw = pillar.get('ufw', {}) %}

  3. {%- if ufw.get('enabled', False) %}

  4. {% from "ufw/map.jinja" import ufwmap with context %}

  5. {% set default_template = ufw.get('default_template', 'salt://ufw/templates/default.jinja') -%}

  6. {% set sysctl_template = ufw.get('sysctl_template', 'salt://ufw/templates/sysctl.jinja') -%}

  7. {% set settings_cfg = ufw.get('settings', {}) -%}

  8. {% set loglevel = settings_cfg.get('loglevel', 'low') -%}

  9. 

  10. ufw:

  11.   pkg.installed:

  12.     - name: {{ ufwmap.pkg }}

  13.   service.running:

  14.     - enable: True

  15.     - watch:

  16.       - file: /etc/default/ufw

  17.       - file: /etc/ufw/sysctl.conf

  18. 

  19. /etc/default/ufw:

  20.   file.managed:

  21.     - template: jinja

  22.     - user: root

  23.     - group: root

  24.     - mode: 644

  25.     - source: {{ default_template }}

  26. 

  27. /etc/ufw/sysctl.conf:

  28.   file.managed:

  29.     - template: jinja

  30.     - user: root

  31.     - group: root

  32.     - mode: 644

  33.     - source: {{ sysctl_template }}

  34. 

  35. /etc/ufw/applications.d:

  36.   file.recurse:

  37.     - user: root

  38.     - group: root

  39.     - file_mode: 644

  40.     - clean: False

  41.     - source: salt://ufw/files/applications.d

  42. 

  43.   # services

  44.   {%- for service_name, service_details in ufw.get('services', {}).items() %}

  45. 

  46.     {%- set from_addr_raw = service_details.get('from_addr', [None]) -%}

  47.     {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw -%}

  48. 

  49.     {%- for from_addr in from_addrs %}

  50.       {%- set protocol  = service_details.get('protocol', None) %}

  51.       {%- set deny      = service_details.get('deny', None) %}

  52.       {%- set limit     = service_details.get('limit', None) %}

  53.       {%- set method    = 'deny' if deny else ('limit' if limit else 'allow') -%}

  54.       {%- set from_port = service_details.get('from_port', None) %}

  55.       {%- set to_addr   = service_details.get('to_addr', None) %}

  56.       {%- set to_port   = service_details.get('to_port', service_name) %}

  57.       {%- set comment   = service_details.get('comment', None) %}

  58. 

  59. ufw-svc-{{method}}-{{service_name}}-{{from_addr}}:

  60.   ufw.{{method}}:

  61.     {%- if protocol != None %}

  62.     - protocol: {{protocol}}

  63.     {%- endif %}

  64.     {%- if from_addr != None %}

  65.     - from_addr: {{from_addr}}

  66.     {%- endif %}

  67.     {%- if from_port != None %}

  68.     - from_port: "{{from_port}}"

  69.     {%- endif %}

  70.     {%- if to_addr != None %}

  71.     - to_addr: {{to_addr}}

  72.     {%- endif %}

  73.     {%- if comment != None %}

  74.     - comment: '"{{comment}}"'

  75.     {%- endif %}

  76.     - to_port: "{{to_port}}"

  77.     - require:

  78.       - pkg: ufw

  79.     - listen_in:

  80.       - cmd: reload-ufw

  81. 

  82.     {%- endfor %}

  83. 

  84.   {%- endfor %}

  85. 

  86.   # Applications

  87.   {%- for app_name, app_details in ufw.get('applications', {}).items() %}

  88. 

  89.     {%- set from_addr_raw = app_details.get('from_addr', [None]) -%}

  90.     {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw -%}

  91. 

  92.     {%- for from_addr in from_addrs %}

  93.       {%- set deny    = app_details.get('deny', None) %}

  94.       {%- set limit   = app_details.get('limit', None) %}

  95.       {%- set method  = 'deny' if deny else ('limit' if limit else 'allow') -%}

  96.       {%- set to_addr = app_details.get('to_addr', None) %}

  97.       {%- set comment = app_details.get('comment', None) %}

  98. 

  99. {%- if from_addr != None%}

  100. ufw-app-{{method}}-{{app_name}}-{{from_addr}}:

  101. {%- else %}

  102. ufw-app-{{method}}-{{app_name}}:

  103. {%- endif %}

  104.   ufw.{{method}}:

  105.     - app: '"{{app_name}}"'

  106.     {%- if from_addr != None %}

  107.     - from_addr: {{from_addr}}

  108.     {%- endif %}

  109.     {%- if to_addr != None %}

  110.     - to_addr: {{to_addr}}

  111.     {%- endif %}

  112.     {%- if comment != None %}

  113.     - comment: '"{{comment}}"'

  114.     {%- endif %}

  115.     - require:

  116.       - pkg: ufw

  117.     - listen_in:

  118.       - cmd: reload-ufw

  119. 

  120.     {%- endfor %}

  121.   {%- endfor %}

  122. 

  123.   # Interfaces

  124.   {%- for interface_name, interface_details in ufw.get('interfaces', {}).items() %}

  125.     {%- set comment = interface_details.get('comment', None) %}

  126. 

  127. ufw-interface-{{interface_name}}:

  128.   ufw.allowed:

  129.     - interface: {{interface_name}}

  130.     {%- if comment != None %}

  131.     - comment: '"{{comment}}"'

  132.     {%- endif %}

  133.     - require:

  134.       - pkg: ufw

  135.     - listen_in:

  136.       - cmd: reload-ufw

  137. 

  138.   {%- endfor %}

  139. 

  140.   # Open

  141.   {%- for open_addr, open_details in ufw.get('open', {}).items() %}

  142.     {%- set comment = open_details.get('comment', None) %}

  143. 

  144. ufw-open-{{open_addr}}:

  145.   ufw.allowed:

  146.     - from_addr: {{open_addr}}

  147.     {%- if comment != None %}

  148.     - comment: '"{{comment}}"'

  149.     {%- endif %}

  150.     - require:

  151.       - pkg: ufw

  152.     - listen_in:

  153.       - cmd: reload-ufw

  154. 

  155.   {%- endfor %}

  156. 

  157. enable-ufw:

  158.   ufw.enabled:

  159.     - require:

  160.       - pkg: ufw

  161. 

  162. reload-ufw:

  163.   cmd.wait:

  164.     - name: ufw reload

  165. 

  166. set-logging:

  167.   cmd.run:

  168.     - name: ufw logging {{ loglevel }}

  169.     - unless: "grep 'LOGLEVEL={{ loglevel }}' /etc/ufw/ufw.conf"

  170. 

  171. {% else %}

  172.   #ufw:

  173.     #ufw:

  174.       #- disabled

  175. {% endif %}