141 lines
4.6 KiB
Plaintext
141 lines
4.6 KiB
Plaintext
# == State: firewalld._zone
|
|
#
|
|
# This state ensures that /etc/firewalld/zones/ exists.
|
|
#
|
|
/etc/firewalld/zones:
|
|
file.directory: # make sure this is a directory
|
|
- user: root
|
|
- group: root
|
|
- mode: 750
|
|
- require:
|
|
- pkg: firewalld # make sure package is installed
|
|
- watch_in:
|
|
- service: firewalld # restart service
|
|
|
|
|
|
# == Define: firewalld._zone
|
|
#
|
|
# This defines a zone configuration, see firewalld.zone (5) man page.
|
|
#
|
|
{% for k, v in salt['pillar.get']('firewalld:zones', {}).items() %}
|
|
{% set z_name = v.name|default(k) %}
|
|
|
|
/etc/firewalld/zones/{{ z_name }}.xml:
|
|
file:
|
|
- managed
|
|
- name: /etc/firewalld/zones/{{ z_name }}.xml
|
|
- user: root
|
|
- group: root
|
|
- mode: 644
|
|
- source: salt://firewalld/files/zone.xml
|
|
- template: jinja
|
|
- require:
|
|
- pkg: firewalld # make sure package is installed
|
|
- watch_in:
|
|
- service: firewalld # restart service
|
|
- context:
|
|
name: {{ z_name }}
|
|
zone: {{ v }}
|
|
|
|
{% endfor %}
|
|
|
|
|
|
|
|
# === Parameters
|
|
#
|
|
# [*target*] can be one of {'ACCEPT', '%%REJECT%%', 'DROP'}.
|
|
# Used to accept, reject or drop every packet that
|
|
# doesn't match any rule (port, service, etc.).
|
|
# Default (when target is not specified) is reject.
|
|
# [*short*] short readable name
|
|
# [*description*] long description of zone
|
|
# [*interfaces*] list of interfaces to bind to a zone
|
|
# [*sources*] list of source addresses or source address
|
|
# ranges ("address/mask") to bind to a zone
|
|
# [*ports*]
|
|
# list of ports to open
|
|
# ports => [{
|
|
# comment => optional, string
|
|
# port => mandatory, string, e.g. '1234'
|
|
# protocol => mandatory, string, e.g. 'tcp' },...]
|
|
# [*services*] list of predefined firewalld services
|
|
# [*icmp_blocks*] list of predefined icmp-types to block
|
|
# [*masquerade*] enable masquerading ?
|
|
# [*forward_ports*]
|
|
# list of ports to forward to other port and/or machine
|
|
# forward_ports => [{
|
|
# comment => optional, string
|
|
# portid => mandatory, string, e.g. '123'
|
|
# protocol => mandatory, string, e.g. 'tcp'
|
|
# to_port => mandatory to specify either to_port or/and to_addr
|
|
# to_addr => mandatory to specify either to_port or/and to_addr },...]
|
|
# [*rich_rules*]
|
|
# list of rich language rules (firewalld.richlanguage(5))
|
|
# You have to specify one (and only one)
|
|
# of {service, port, protocol, icmp_block, masquerade, forward_port}
|
|
# and one (and only one) of {accept, reject, drop}
|
|
# family - 'ipv4' or 'ipv6', optional, see Rule in firewalld.richlanguage(5)
|
|
# source => { optional, see Source in firewalld.richlanguage(5)
|
|
# address => mandatory, string, e.g. '192.168.1.0/24'
|
|
# invert => optional, bool, e.g. true }
|
|
# destination => { optional, see Destination in firewalld.richlanguage(5)
|
|
# address => mandatory, string
|
|
# invert => optional, bool, e.g. true }
|
|
# service - string, see Service in firewalld.richlanguage(5)
|
|
# port => { see Port in firewalld.richlanguage(5)
|
|
# portid => mandatory
|
|
# protocol => mandatory }
|
|
# protocol - string, see Protocol in firewalld.richlanguage(5)
|
|
# icmp_block - string, see ICMP-Block in firewalld.richlanguage(5)
|
|
# masquerade - bool, see Masquerade in firewalld.richlanguage(5)
|
|
# forward_port => { see Forward-Port in firewalld.richlanguage(5)
|
|
# portid => mandatory
|
|
# protocol => mandatory
|
|
# to_port => mandatory to specify either to_port or/and to_addr
|
|
# to_addr => mandatory to specify either to_port or/and to_addr }
|
|
# log => { see Log in firewalld.richlanguage(5)
|
|
# prefix => string, optional
|
|
# level => string, optional
|
|
# limit => string, optional }
|
|
# audit => { see Audit in firewalld.richlanguage(5)
|
|
# limit => string, optional }
|
|
# accept - any value, e.g. true, see Action in firewalld.richlanguage(5)
|
|
# reject => { see Action in firewalld.richlanguage(5)
|
|
# type => string, optional }
|
|
# drop - any value, e.g. true, see Action in firewalld.richlanguage(5)
|
|
#
|
|
# === Examples
|
|
#
|
|
# firewalld::zone { "custom":
|
|
# description => "This is an example zone",
|
|
# services => ["ssh", "dhcpv6-client"],
|
|
# ports => [{
|
|
# comment => "for our dummy service",
|
|
# port => "1234",
|
|
# protocol => "tcp",},],
|
|
# masquerade => true,
|
|
# forward_ports => [{
|
|
# comment => 'forward 123 to other machine',
|
|
# portid => '123',
|
|
# protocol => 'tcp',
|
|
# to_port => '321',
|
|
# to_addr => '1.2.3.4',},],
|
|
# rich_rules => [{
|
|
# family => 'ipv4',
|
|
# source => {
|
|
# address => '192.168.1.0/24',
|
|
# invert => true,},
|
|
# port => {
|
|
# portid => '123-321',
|
|
# protocol => 'udp',},
|
|
# log => {
|
|
# prefix => 'local',
|
|
# level => 'notice',
|
|
# limit => '3/s',},
|
|
# audit => {
|
|
# limit => '2/h',},
|
|
# reject => {
|
|
# type => 'icmp-host-prohibited',},
|
|
# },],}
|
|
#
|