Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

80 lines
1.7KB

  1. ufw:
  2. enabled: True
  3. settings:
  4. ipv6: True
  5. default_input_policy: 'DROP'
  6. default_output_policy: 'ACCEPT'
  7. default_forward_policy: 'DROP'
  8. default_application_policy: 'SKIP'
  9. manage_builtins: False
  10. ipt_sysctl: '/etc/ufw/sysctl.conf'
  11. ipt_modules:
  12. - nf_conntrack_ftp
  13. - nf_nat_ftp
  14. - nf_conntrack_netbios_ns
  15. sysctl:
  16. forwarding: 1
  17. rp_filter: 1
  18. accept_source_route: 0
  19. accept_redirects: 0
  20. icmp_echo_ignore_broadcasts: 1
  21. icmp_ignore_bogus_error_responses: 1
  22. icmp_echo_ignore_all: 0
  23. log_martians: 0
  24. tcp_syncookies: 0
  25. tcp_sack: 1
  26. ipv6_autoconf: 1
  27. use_tempaddr: 1
  28. services:
  29. # Allow 80/tcp (http) traffic from only two remote addresses.
  30. http:
  31. protocol: tcp
  32. from_addr:
  33. - 10.0.2.15
  34. - 10.0.2.16
  35. comment: Upstream loadbalancers
  36. # Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip.
  37. https:
  38. protocol: tcp
  39. from_addr:
  40. - 10.0.0.0/8
  41. to_addr: 10.0.2.1
  42. comment: Intraweb portal
  43. # Allow from a service port.
  44. smtp:
  45. protocol: tcp
  46. comment: Mail relay
  47. # Allow from an specific port, by number.
  48. 139:
  49. protocol: tcp
  50. comment: Netbios
  51. # Allow from a range of ports, udp.
  52. "10000:20000":
  53. protocol: udp
  54. comment: We need ports, lots of ports
  55. # Allow from two specific ports, udp.
  56. "30000,40000":
  57. protocol: udp
  58. comment: Game server and admin
  59. # Allow an application defined at /etc/ufw/applications.d/
  60. applications:
  61. OpenSSH:
  62. enabled: True
  63. comment: We are using fail2ban anyway
  64. # Allow all traffic in on the specified interface
  65. interfaces:
  66. eth1:
  67. comment: Honey pot