add ipset support for firewalld
This commit is contained in:
parent
68bebd6fbb
commit
c5a01c837e
@ -2,5 +2,6 @@
|
||||
# vim: ft=yaml
|
||||
firewalld:
|
||||
package: firewalld
|
||||
ipsetpackage: ipset
|
||||
service: firewalld
|
||||
config: /etc/firewalld.conf
|
||||
|
31
firewalld/files/ipset.xml
Normal file
31
firewalld/files/ipset.xml
Normal file
@ -0,0 +1,31 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<ipset{%- if 'type' in ipset %} type="{{ ipset.type }}" {%- endif %}>
|
||||
{%- if 'short' in ipset %}
|
||||
<short>{{ ipset.short }}</short>
|
||||
{%- endif %}
|
||||
{%- if 'description' in ipset %}
|
||||
<description>{{ ipset.description }}</description>
|
||||
{%- endif %}
|
||||
{%- if 'options' in ipset %}
|
||||
{%- if 'maxelem' in ipset.options %}
|
||||
{%- for v in ipset.options.maxelem %}
|
||||
<option name="maxelem" value="{{ v }}"/>
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- if 'timeout' in ipset.options %}
|
||||
{%- for v in ipset.options.timeout %}
|
||||
<option name="timeout" value="{{ v }}"/>
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- if 'hashsize' in ipset.options %}
|
||||
{%- for v in ipset.options.hashsize %}
|
||||
<option name="hashsize" value="{{ v }}"/>
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- endif %}
|
||||
{%- if 'entries' in ipset %}
|
||||
{%- for v in ipset.entries %}
|
||||
<entry>{{ v }}</entry>
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
</ipset>
|
@ -52,6 +52,9 @@
|
||||
{%- else %}
|
||||
<rule>
|
||||
{%- endif %}
|
||||
{%- if 'ipset' in rule %}
|
||||
<source ipset="{{ rule.ipset.name }}"/>
|
||||
{%- endif %}
|
||||
{%- if 'source' in rule %}
|
||||
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/>
|
||||
{%- endif %}
|
||||
|
@ -8,6 +8,7 @@
|
||||
{% if salt['pillar.get']('firewalld:enabled') %}
|
||||
include:
|
||||
- firewalld.config
|
||||
- firewalld.ipsets
|
||||
- firewalld.services
|
||||
- firewalld.zones
|
||||
|
||||
|
48
firewalld/ipsets.sls
Normal file
48
firewalld/ipsets.sls
Normal file
@ -0,0 +1,48 @@
|
||||
# == State: firewalld.ipsets
|
||||
#
|
||||
# This state ensures that /etc/firewalld/ipsets/ exists.
|
||||
#
|
||||
{% from "firewalld/map.jinja" import firewalld with context %}
|
||||
|
||||
{%- if salt['pillar.get']('firewalld:ipset') %}
|
||||
package_ipset:
|
||||
pkg.installed:
|
||||
- name: {{ firewalld.ipsetpackage }}
|
||||
|
||||
directory_firewalld_ipsets:
|
||||
file.directory: # make sure this is a directory
|
||||
- name: /etc/firewalld/ipsets
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 750
|
||||
- require:
|
||||
- pkg: package_firewalld # make sure package is installed
|
||||
- listen_in:
|
||||
- module: service_firewalld # restart service
|
||||
|
||||
# == Define: firewalld.ipsets
|
||||
#
|
||||
# This defines a ipset configuration, see firewalld.ipset (5) man page.
|
||||
#
|
||||
{% for k, v in salt['pillar.get']('firewalld:ipsets', {}).items() %}
|
||||
{% set z_name = v.name|default(k) %}
|
||||
|
||||
/etc/firewalld/ipsets/{{ z_name }}.xml:
|
||||
file.managed:
|
||||
- name: /etc/firewalld/ipsets/{{ z_name }}.xml
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 644
|
||||
- source: salt://firewalld/files/ipset.xml
|
||||
- template: jinja
|
||||
- require:
|
||||
- pkg: package_firewalld # make sure package is installed
|
||||
- file: directory_firewalld_ipsets
|
||||
- listen_in:
|
||||
- module: service_firewalld # restart service
|
||||
- context:
|
||||
name: {{ z_name }}
|
||||
ipset: {{ v }}
|
||||
|
||||
{% endfor %}
|
||||
{%- endif %}
|
@ -1,7 +1,9 @@
|
||||
# CentOS7 FirewallD firewall
|
||||
# FirewallD pillar examples:
|
||||
firewalld:
|
||||
enabled: True
|
||||
ipset: True
|
||||
default_zone: public
|
||||
|
||||
services:
|
||||
sshcustom:
|
||||
short: sshcustom
|
||||
@ -19,13 +21,71 @@ firewalld:
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
|
||||
zabbixcustom:
|
||||
short: Zabbixcustom
|
||||
description: "zabbix custom rule"
|
||||
ports:
|
||||
tcp:
|
||||
- "10051"
|
||||
salt-minion:
|
||||
short: salt-minion
|
||||
description: "salt-minion"
|
||||
ports:
|
||||
tcp:
|
||||
- "8000"
|
||||
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
short: fail2ban-ssh
|
||||
description: fail2ban-ssh ipset
|
||||
type: 'hash:ip'
|
||||
options:
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
hashsize:
|
||||
- 1024
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
|
||||
|
||||
zones:
|
||||
public:
|
||||
short: Public
|
||||
description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
|
||||
services:
|
||||
- http
|
||||
- zabbixcustom
|
||||
- https
|
||||
- ssh
|
||||
- dhcpv6-client
|
||||
|
||||
- salt-minion
|
||||
rich_rules:
|
||||
- family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
accept: true
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
ports:
|
||||
{% if grains['id'] == 'salt.example.com' %}
|
||||
- comment: salt-master
|
||||
port: 4505
|
||||
protocol: tcp
|
||||
- comment: salt-python
|
||||
port: 4506
|
||||
protocol: tcp
|
||||
{% endif %}
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
|
Loading…
Reference in New Issue
Block a user