2019-11-09 08:13:38 +01:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# vim: ft=yaml
|
|
|
|
---
|
2016-09-03 21:43:40 +02:00
|
|
|
# FirewallD pillar examples:
|
2014-08-23 16:44:48 +02:00
|
|
|
firewalld:
|
2019-11-09 08:13:38 +01:00
|
|
|
enabled: true
|
2019-09-15 22:01:15 +02:00
|
|
|
IndividualCalls: 'no'
|
|
|
|
LogDenied: 'off'
|
|
|
|
AutomaticHelpers: 'system'
|
|
|
|
FirewallBackend: 'nftables'
|
|
|
|
FlushAllOnReload: 'yes'
|
|
|
|
RFC3964_IPv4: 'yes'
|
2020-10-24 08:08:04 +02:00
|
|
|
AllowZoneDrifting: 'no'
|
2018-08-26 00:05:21 +02:00
|
|
|
|
2018-08-25 23:27:37 +02:00
|
|
|
ipset:
|
2019-11-09 08:13:38 +01:00
|
|
|
manage: true
|
2018-08-25 23:27:37 +02:00
|
|
|
pkg: ipset
|
|
|
|
|
2019-11-09 08:13:38 +01:00
|
|
|
# ipset: # Deprecated. Will be removed in future releases
|
|
|
|
# ipsetpackag: ipset # Deprecated. Will be removed in future releases
|
2018-08-26 00:05:21 +02:00
|
|
|
|
|
|
|
backend:
|
2019-11-09 08:13:38 +01:00
|
|
|
manage: true
|
2018-08-26 00:05:21 +02:00
|
|
|
pkg: nftables
|
|
|
|
|
2019-11-09 08:13:38 +01:00
|
|
|
# installbackend: true # Deprecated. Will be removed in future releases
|
|
|
|
# backendpackage: nftables # Deprecated. Will be removed in future releases
|
2018-08-26 00:05:21 +02:00
|
|
|
|
2014-08-23 16:44:48 +02:00
|
|
|
default_zone: public
|
2016-09-03 21:43:40 +02:00
|
|
|
|
2014-08-23 16:44:48 +02:00
|
|
|
services:
|
|
|
|
sshcustom:
|
|
|
|
short: sshcustom
|
2019-11-09 08:13:38 +01:00
|
|
|
description: >-
|
|
|
|
SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
|
|
|
|
into and executing commands on remote machines. It provides secure
|
|
|
|
encrypted communications. If you plan on accessing your machine
|
|
|
|
remotely via SSH over a firewalled interface, enable this option. You
|
|
|
|
need the openssh-server package installed for this option to be useful.
|
2014-08-23 16:44:48 +02:00
|
|
|
ports:
|
2016-09-03 21:43:40 +02:00
|
|
|
tcp:
|
2014-08-23 16:44:48 +02:00
|
|
|
- 3232
|
|
|
|
- 5252
|
2016-09-03 21:43:40 +02:00
|
|
|
modules:
|
2014-08-23 16:44:48 +02:00
|
|
|
- some_module_to_load
|
2019-04-05 21:04:30 +02:00
|
|
|
protocols:
|
|
|
|
- igmp
|
|
|
|
source_ports:
|
|
|
|
tcp:
|
|
|
|
- 21
|
2014-08-23 16:44:48 +02:00
|
|
|
destinations:
|
2016-09-03 21:43:40 +02:00
|
|
|
ipv4:
|
2014-08-23 16:44:48 +02:00
|
|
|
- 224.0.0.251
|
|
|
|
- 224.0.0.252
|
2016-09-03 21:43:40 +02:00
|
|
|
ipv6:
|
2014-08-23 16:44:48 +02:00
|
|
|
- ff02::fb
|
|
|
|
- ff02::fc
|
2016-09-03 21:43:40 +02:00
|
|
|
|
|
|
|
zabbixcustom:
|
|
|
|
short: Zabbixcustom
|
|
|
|
description: "zabbix custom rule"
|
|
|
|
ports:
|
|
|
|
tcp:
|
|
|
|
- "10051"
|
|
|
|
salt-minion:
|
|
|
|
short: salt-minion
|
|
|
|
description: "salt-minion"
|
|
|
|
ports:
|
|
|
|
tcp:
|
|
|
|
- "8000"
|
|
|
|
|
|
|
|
ipsets:
|
|
|
|
fail2ban-ssh:
|
|
|
|
short: fail2ban-ssh
|
|
|
|
description: fail2ban-ssh ipset
|
|
|
|
type: 'hash:ip'
|
|
|
|
options:
|
|
|
|
maxelem:
|
|
|
|
- 65536
|
|
|
|
timeout:
|
|
|
|
- 300
|
|
|
|
hashsize:
|
|
|
|
- 1024
|
|
|
|
entries:
|
|
|
|
- 10.0.0.1
|
2018-12-10 12:44:53 +01:00
|
|
|
fail2ban-ssh-ipv6:
|
|
|
|
short: fail2ban-ssh-ipv6
|
|
|
|
description: fail2ban-ssh-ipv6 ipset
|
|
|
|
type: 'hash:ip'
|
|
|
|
options:
|
|
|
|
family:
|
|
|
|
- inet6
|
|
|
|
maxelem:
|
|
|
|
- 65536
|
|
|
|
timeout:
|
|
|
|
- 300
|
|
|
|
hashsize:
|
|
|
|
- 1024
|
|
|
|
entries:
|
|
|
|
- 2a01::1
|
2016-09-03 21:43:40 +02:00
|
|
|
|
2014-08-23 16:44:48 +02:00
|
|
|
zones:
|
|
|
|
public:
|
|
|
|
short: Public
|
2019-11-09 08:13:38 +01:00
|
|
|
description: >-
|
|
|
|
For use in public areas. You do not trust the other computers on
|
|
|
|
networks to not harm your computer. Only selected incoming connections
|
|
|
|
are accepted.
|
2014-08-23 16:44:48 +02:00
|
|
|
services:
|
|
|
|
- http
|
|
|
|
- https
|
|
|
|
- ssh
|
2016-09-03 21:43:40 +02:00
|
|
|
- salt-minion
|
2020-02-11 15:10:45 +01:00
|
|
|
# Anything in zone definition ending with services will get merged into services
|
|
|
|
other_services:
|
|
|
|
- zabbixcustom
|
2019-04-05 21:04:30 +02:00
|
|
|
protocols:
|
|
|
|
- igmp
|
2016-09-03 21:43:40 +02:00
|
|
|
rich_rules:
|
|
|
|
- family: ipv4
|
|
|
|
source:
|
2019-11-09 08:13:38 +01:00
|
|
|
address: 8.8.8.8/24
|
2016-09-03 21:43:40 +02:00
|
|
|
accept: true
|
|
|
|
- family: ipv4
|
|
|
|
ipset:
|
|
|
|
name: fail2ban-ssh
|
|
|
|
reject:
|
|
|
|
type: icmp-port-unreachable
|
2021-01-21 11:39:55 +01:00
|
|
|
- accept:
|
|
|
|
limit: "3/m"
|
|
|
|
log:
|
|
|
|
level: warning
|
|
|
|
limit: "3/m"
|
|
|
|
prefix: "http fw limit 3/m"
|
|
|
|
service: http
|
|
|
|
|
2016-09-03 21:43:40 +02:00
|
|
|
ports:
|
2019-11-09 08:13:38 +01:00
|
|
|
# {%- if grains['id'] == 'salt.example.com' %}
|
2016-09-03 21:43:40 +02:00
|
|
|
- comment: salt-master
|
|
|
|
port: 4505
|
|
|
|
protocol: tcp
|
|
|
|
- comment: salt-python
|
|
|
|
port: 4506
|
|
|
|
protocol: tcp
|
2019-11-09 08:13:38 +01:00
|
|
|
# {%- endif %}
|
2016-09-03 21:43:40 +02:00
|
|
|
- comment: zabbix-agent
|
|
|
|
port: 10050
|
|
|
|
protocol: tcp
|
|
|
|
- comment: bacula-client
|
|
|
|
port: 9102
|
|
|
|
protocol: tcp
|
|
|
|
- comment: vsftpd
|
|
|
|
port: 21
|
|
|
|
protocol: tcp
|
2019-04-05 21:04:30 +02:00
|
|
|
source_ports:
|
|
|
|
- comment: something
|
|
|
|
port: 2222
|
|
|
|
protocol: tcp
|
|
|
|
- comment: something_else
|
|
|
|
port: 4444
|
|
|
|
protocol: tcp
|
2016-09-13 23:25:51 +02:00
|
|
|
|
2020-03-26 13:36:02 +01:00
|
|
|
rich_public:
|
|
|
|
short: rich_public
|
|
|
|
description: "Example"
|
|
|
|
# Rich rules can be specified as a dictionary. All keys from standard rich rules
|
|
|
|
# can be used. Special keys "ipsets" and "services", if defined, take precedence.
|
|
|
|
# They will be auto-expanded into separate rich rules per value in the list.
|
|
|
|
rich_rules:
|
2021-06-18 18:23:06 +02:00
|
|
|
http-priority:
|
|
|
|
accept: true
|
|
|
|
ipsets:
|
|
|
|
- other-ipset
|
|
|
|
priority: 15
|
|
|
|
services:
|
|
|
|
- http
|
2020-03-26 13:36:02 +01:00
|
|
|
ssh-csg:
|
|
|
|
accept: true
|
|
|
|
ipsets:
|
|
|
|
- fail2ban-ssh
|
|
|
|
- other-ipset
|
|
|
|
services:
|
|
|
|
- ssh
|
|
|
|
|
2016-09-13 23:25:51 +02:00
|
|
|
direct:
|
|
|
|
chain:
|
|
|
|
MYCHAIN:
|
|
|
|
ipv: ipv4
|
|
|
|
table: raw
|
|
|
|
rule:
|
|
|
|
INTERNETACCESS:
|
|
|
|
ipv: ipv4
|
|
|
|
table: filter
|
|
|
|
chain: FORWARD
|
|
|
|
priority: "0"
|
2019-11-09 08:13:38 +01:00
|
|
|
args: >-
|
|
|
|
-i iintern
|
|
|
|
-o iextern
|
|
|
|
-s 192.168.1.0/24
|
|
|
|
-m conntrack
|
|
|
|
--ctstate NEW,RELATED,ESTABLISHED
|
|
|
|
-j ACCEPT
|
2016-09-13 23:25:51 +02:00
|
|
|
passthrough:
|
|
|
|
MYPASSTHROUGH:
|
|
|
|
ipv: ipv4
|
2019-11-09 08:13:38 +01:00
|
|
|
args: >-
|
|
|
|
-t raw
|
|
|
|
-A MYCHAIN
|
|
|
|
-j DROP
|