add ipset support for firewalld

This commit is contained in:
Niels Abspoel 2016-09-03 21:43:40 +02:00
parent 68bebd6fbb
commit c5a01c837e
7 changed files with 152 additions and 8 deletions

View File

@ -1 +1 @@
0.1.0
0.2.0

View File

@ -2,5 +2,6 @@
# vim: ft=yaml
firewalld:
package: firewalld
ipsetpackage: ipset
service: firewalld
config: /etc/firewalld.conf

31
firewalld/files/ipset.xml Normal file
View File

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset{%- if 'type' in ipset %} type="{{ ipset.type }}" {%- endif %}>
{%- if 'short' in ipset %}
<short>{{ ipset.short }}</short>
{%- endif %}
{%- if 'description' in ipset %}
<description>{{ ipset.description }}</description>
{%- endif %}
{%- if 'options' in ipset %}
{%- if 'maxelem' in ipset.options %}
{%- for v in ipset.options.maxelem %}
<option name="maxelem" value="{{ v }}"/>
{%- endfor %}
{%- endif %}
{%- if 'timeout' in ipset.options %}
{%- for v in ipset.options.timeout %}
<option name="timeout" value="{{ v }}"/>
{%- endfor %}
{%- endif %}
{%- if 'hashsize' in ipset.options %}
{%- for v in ipset.options.hashsize %}
<option name="hashsize" value="{{ v }}"/>
{%- endfor %}
{%- endif %}
{%- endif %}
{%- if 'entries' in ipset %}
{%- for v in ipset.entries %}
<entry>{{ v }}</entry>
{%- endfor %}
{%- endif %}
</ipset>

View File

@ -52,6 +52,9 @@
{%- else %}
<rule>
{%- endif %}
{%- if 'ipset' in rule %}
<source ipset="{{ rule.ipset.name }}"/>
{%- endif %}
{%- if 'source' in rule %}
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/>
{%- endif %}

View File

@ -8,6 +8,7 @@
{% if salt['pillar.get']('firewalld:enabled') %}
include:
- firewalld.config
- firewalld.ipsets
- firewalld.services
- firewalld.zones

48
firewalld/ipsets.sls Normal file
View File

@ -0,0 +1,48 @@
# == State: firewalld.ipsets
#
# This state ensures that /etc/firewalld/ipsets/ exists.
#
{% from "firewalld/map.jinja" import firewalld with context %}
{%- if salt['pillar.get']('firewalld:ipset') %}
package_ipset:
pkg.installed:
- name: {{ firewalld.ipsetpackage }}
directory_firewalld_ipsets:
file.directory: # make sure this is a directory
- name: /etc/firewalld/ipsets
- user: root
- group: root
- mode: 750
- require:
- pkg: package_firewalld # make sure package is installed
- listen_in:
- module: service_firewalld # restart service
# == Define: firewalld.ipsets
#
# This defines a ipset configuration, see firewalld.ipset (5) man page.
#
{% for k, v in salt['pillar.get']('firewalld:ipsets', {}).items() %}
{% set z_name = v.name|default(k) %}
/etc/firewalld/ipsets/{{ z_name }}.xml:
file.managed:
- name: /etc/firewalld/ipsets/{{ z_name }}.xml
- user: root
- group: root
- mode: 644
- source: salt://firewalld/files/ipset.xml
- template: jinja
- require:
- pkg: package_firewalld # make sure package is installed
- file: directory_firewalld_ipsets
- listen_in:
- module: service_firewalld # restart service
- context:
name: {{ z_name }}
ipset: {{ v }}
{% endfor %}
{%- endif %}

View File

@ -1,7 +1,9 @@
# CentOS7 FirewallD firewall
# FirewallD pillar examples:
firewalld:
enabled: True
ipset: True
default_zone: public
services:
sshcustom:
short: sshcustom
@ -19,13 +21,71 @@ firewalld:
ipv6:
- ff02::fb
- ff02::fc
zabbixcustom:
short: Zabbixcustom
description: "zabbix custom rule"
ports:
tcp:
- "10051"
salt-minion:
short: salt-minion
description: "salt-minion"
ports:
tcp:
- "8000"
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset
type: 'hash:ip'
options:
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 10.0.0.1
zones:
public:
short: Public
description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
services:
- http
- zabbixcustom
- https
- ssh
- dhcpv6-client
- salt-minion
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports:
{% if grains['id'] == 'salt.example.com' %}
- comment: salt-master
port: 4505
protocol: tcp
- comment: salt-python
port: 4506
protocol: tcp
{% endif %}
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp