saltstack-formulas/firewalld-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6ced9d9cfa
firewalld-formula/pillar.example
Steven Daniele cd4cec0089 feat: allow rich_rules to be specified as a dict 
When specifying rich rules as a dictionary ipsets and services can be
specified as lists. They will be expanded out by the jinja template into
individual rich rules for the parent zone.
2020-03-30 09:01:27 -04:00

194 lines
4.5 KiB
YAML
Raw Blame History

# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# FirewallD pillar examples:
firewalld:
enabled: true
IndividualCalls: 'no'
LogDenied: 'off'
AutomaticHelpers: 'system'
FirewallBackend: 'nftables'
FlushAllOnReload: 'yes'
RFC3964_IPv4: 'yes'
ipset:
manage: true
pkg: ipset
# ipset: # Deprecated. Will be removed in future releases
# ipsetpackag: ipset # Deprecated. Will be removed in future releases
backend:
manage: true
pkg: nftables
# installbackend: true # Deprecated. Will be removed in future releases
# backendpackage: nftables # Deprecated. Will be removed in future releases
default_zone: public
services:
sshcustom:
short: sshcustom
description: >-
SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine
remotely via SSH over a firewalled interface, enable this option. You
need the openssh-server package installed for this option to be useful.
ports:
tcp:
- 3232
- 5252
modules:
- some_module_to_load
protocols:
- igmp
source_ports:
tcp:
- 21
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
zabbixcustom:
short: Zabbixcustom
description: "zabbix custom rule"
ports:
tcp:
- "10051"
salt-minion:
short: salt-minion
description: "salt-minion"
ports:
tcp:
- "8000"
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset
type: 'hash:ip'
options:
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 10.0.0.1
fail2ban-ssh-ipv6:
short: fail2ban-ssh-ipv6
description: fail2ban-ssh-ipv6 ipset
type: 'hash:ip'
options:
family:
- inet6
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 2a01::1
zones:
public:
short: Public
description: >-
For use in public areas. You do not trust the other computers on
networks to not harm your computer. Only selected incoming connections
are accepted.
services:
- http
- https
- ssh
- salt-minion
# Anything in zone definition ending with services will get merged into services
other_services:
- zabbixcustom
protocols:
- igmp
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports:
# {%- if grains['id'] == 'salt.example.com' %}
- comment: salt-master
port: 4505
protocol: tcp
- comment: salt-python
port: 4506
protocol: tcp
# {%- endif %}
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
short: rich_public
description: "Example"
# Rich rules can be specified as a dictionary. All keys from standard rich rules
# can be used. Special keys "ipsets" and "services", if defined, take precedence.
# They will be auto-expanded into separate rich rules per value in the list.
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
rule:
INTERNETACCESS:
ipv: ipv4
table: filter
chain: FORWARD
priority: "0"
args: >-
-i iintern
-o iextern
-s 192.168.1.0/24
-m conntrack
--ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
passthrough:
MYPASSTHROUGH:
ipv: ipv4
args: >-
-t raw
-A MYCHAIN
-j DROP
Reference in New Issue View Git Blame Copy Permalink