firewalld-formula/pillar.example

194 lines
4.5 KiB
Plaintext
Raw Normal View History

# -*- coding: utf-8 -*-
# vim: ft=yaml
---
2016-09-03 21:43:40 +02:00
# FirewallD pillar examples:
2014-08-23 16:44:48 +02:00
firewalld:
enabled: true
2019-09-15 22:01:15 +02:00
IndividualCalls: 'no'
LogDenied: 'off'
AutomaticHelpers: 'system'
FirewallBackend: 'nftables'
FlushAllOnReload: 'yes'
RFC3964_IPv4: 'yes'
2018-08-26 00:05:21 +02:00
ipset:
manage: true
pkg: ipset
# ipset: # Deprecated. Will be removed in future releases
# ipsetpackag: ipset # Deprecated. Will be removed in future releases
2018-08-26 00:05:21 +02:00
backend:
manage: true
2018-08-26 00:05:21 +02:00
pkg: nftables
# installbackend: true # Deprecated. Will be removed in future releases
# backendpackage: nftables # Deprecated. Will be removed in future releases
2018-08-26 00:05:21 +02:00
2014-08-23 16:44:48 +02:00
default_zone: public
2016-09-03 21:43:40 +02:00
2014-08-23 16:44:48 +02:00
services:
sshcustom:
short: sshcustom
description: >-
SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine
remotely via SSH over a firewalled interface, enable this option. You
need the openssh-server package installed for this option to be useful.
2014-08-23 16:44:48 +02:00
ports:
2016-09-03 21:43:40 +02:00
tcp:
2014-08-23 16:44:48 +02:00
- 3232
- 5252
2016-09-03 21:43:40 +02:00
modules:
2014-08-23 16:44:48 +02:00
- some_module_to_load
protocols:
- igmp
source_ports:
tcp:
- 21
2014-08-23 16:44:48 +02:00
destinations:
2016-09-03 21:43:40 +02:00
ipv4:
2014-08-23 16:44:48 +02:00
- 224.0.0.251
- 224.0.0.252
2016-09-03 21:43:40 +02:00
ipv6:
2014-08-23 16:44:48 +02:00
- ff02::fb
- ff02::fc
2016-09-03 21:43:40 +02:00
zabbixcustom:
short: Zabbixcustom
description: "zabbix custom rule"
ports:
tcp:
- "10051"
salt-minion:
short: salt-minion
description: "salt-minion"
ports:
tcp:
- "8000"
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset
type: 'hash:ip'
options:
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 10.0.0.1
2018-12-10 12:44:53 +01:00
fail2ban-ssh-ipv6:
short: fail2ban-ssh-ipv6
description: fail2ban-ssh-ipv6 ipset
type: 'hash:ip'
options:
family:
- inet6
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 2a01::1
2016-09-03 21:43:40 +02:00
2014-08-23 16:44:48 +02:00
zones:
public:
short: Public
description: >-
For use in public areas. You do not trust the other computers on
networks to not harm your computer. Only selected incoming connections
are accepted.
2014-08-23 16:44:48 +02:00
services:
- http
- https
- ssh
2016-09-03 21:43:40 +02:00
- salt-minion
# Anything in zone definition ending with services will get merged into services
other_services:
- zabbixcustom
protocols:
- igmp
2016-09-03 21:43:40 +02:00
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
2016-09-03 21:43:40 +02:00
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports:
# {%- if grains['id'] == 'salt.example.com' %}
2016-09-03 21:43:40 +02:00
- comment: salt-master
port: 4505
protocol: tcp
- comment: salt-python
port: 4506
protocol: tcp
# {%- endif %}
2016-09-03 21:43:40 +02:00
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
2016-09-13 23:25:51 +02:00
rich_public:
short: rich_public
description: "Example"
# Rich rules can be specified as a dictionary. All keys from standard rich rules
# can be used. Special keys "ipsets" and "services", if defined, take precedence.
# They will be auto-expanded into separate rich rules per value in the list.
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
2016-09-13 23:25:51 +02:00
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
rule:
INTERNETACCESS:
ipv: ipv4
table: filter
chain: FORWARD
priority: "0"
args: >-
-i iintern
-o iextern
-s 192.168.1.0/24
-m conntrack
--ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
2016-09-13 23:25:51 +02:00
passthrough:
MYPASSTHROUGH:
ipv: ipv4
args: >-
-t raw
-A MYCHAIN
-j DROP