saltstack-formulas/firewalld-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8d0172f5c7
firewalld-formula/pillar.example
Michal Hrusecky 8d0172f5c7
feat(zone.xml): allow more services definition inside zone 
Now multiple sections ending with `services` can be defined for each in pillar
and all of them will get merged into one service block in the zone. The goal is
to keep backward compatibility while allowing different services to be defined
in different pillars. So basically have various parts of the pillar affecting
the firewall without need to define everything centrally. Helpful for the
exceptions to the rules.
2020-02-11 15:29:11 +01:00

179 lines
4.0 KiB
YAML
Raw Blame History

# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# FirewallD pillar examples:
firewalld:
enabled: true
IndividualCalls: 'no'
LogDenied: 'off'
AutomaticHelpers: 'system'
FirewallBackend: 'nftables'
FlushAllOnReload: 'yes'
RFC3964_IPv4: 'yes'
ipset:
manage: true
pkg: ipset
# ipset: # Deprecated. Will be removed in future releases
# ipsetpackag: ipset # Deprecated. Will be removed in future releases
backend:
manage: true
pkg: nftables
# installbackend: true # Deprecated. Will be removed in future releases
# backendpackage: nftables # Deprecated. Will be removed in future releases
default_zone: public
services:
sshcustom:
short: sshcustom
description: >-
SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine
remotely via SSH over a firewalled interface, enable this option. You
need the openssh-server package installed for this option to be useful.
ports:
tcp:
- 3232
- 5252
modules:
- some_module_to_load
protocols:
- igmp
source_ports:
tcp:
- 21
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
zabbixcustom:
short: Zabbixcustom
description: "zabbix custom rule"
ports:
tcp:
- "10051"
salt-minion:
short: salt-minion
description: "salt-minion"
ports:
tcp:
- "8000"
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset
type: 'hash:ip'
options:
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 10.0.0.1
fail2ban-ssh-ipv6:
short: fail2ban-ssh-ipv6
description: fail2ban-ssh-ipv6 ipset
type: 'hash:ip'
options:
family:
- inet6
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 2a01::1
zones:
public:
short: Public
description: >-
For use in public areas. You do not trust the other computers on
networks to not harm your computer. Only selected incoming connections
are accepted.
services:
- http
- https
- ssh
- salt-minion
# Anything in zone definition ending with services will get merged into services
other_services:
- zabbixcustom
protocols:
- igmp
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports:
# {%- if grains['id'] == 'salt.example.com' %}
- comment: salt-master
port: 4505
protocol: tcp
- comment: salt-python
port: 4506
protocol: tcp
# {%- endif %}
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
rule:
INTERNETACCESS:
ipv: ipv4
table: filter
chain: FORWARD
priority: "0"
args: >-
-i iintern
-o iextern
-s 192.168.1.0/24
-m conntrack
--ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
passthrough:
MYPASSTHROUGH:
ipv: ipv4
args: >-
-t raw
-A MYCHAIN
-j DROP
Reference in New Issue View Git Blame Copy Permalink