123 lines
3.1 KiB
Plaintext
123 lines
3.1 KiB
Plaintext
# FirewallD pillar examples:
|
|
firewalld:
|
|
enabled: True
|
|
|
|
ipset:
|
|
manage: True
|
|
pkg: ipset
|
|
|
|
# ipset: # Deprecated. Support for this format will be removed in future releases
|
|
# ipsetpackag: ipset # Deprecated. Will be removed in future releases
|
|
|
|
backend:
|
|
manage: True
|
|
pkg: nftables
|
|
|
|
# installbackend: True # Deprecated. Will be removed in future releases
|
|
# backendpackage: nftables # Deprecated. Will be removed in future releases
|
|
|
|
default_zone: public
|
|
|
|
services:
|
|
sshcustom:
|
|
short: sshcustom
|
|
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
|
|
ports:
|
|
tcp:
|
|
- 3232
|
|
- 5252
|
|
modules:
|
|
- some_module_to_load
|
|
destinations:
|
|
ipv4:
|
|
- 224.0.0.251
|
|
- 224.0.0.252
|
|
ipv6:
|
|
- ff02::fb
|
|
- ff02::fc
|
|
|
|
zabbixcustom:
|
|
short: Zabbixcustom
|
|
description: "zabbix custom rule"
|
|
ports:
|
|
tcp:
|
|
- "10051"
|
|
salt-minion:
|
|
short: salt-minion
|
|
description: "salt-minion"
|
|
ports:
|
|
tcp:
|
|
- "8000"
|
|
|
|
ipsets:
|
|
fail2ban-ssh:
|
|
short: fail2ban-ssh
|
|
description: fail2ban-ssh ipset
|
|
type: 'hash:ip'
|
|
options:
|
|
maxelem:
|
|
- 65536
|
|
timeout:
|
|
- 300
|
|
hashsize:
|
|
- 1024
|
|
entries:
|
|
- 10.0.0.1
|
|
|
|
zones:
|
|
public:
|
|
short: Public
|
|
description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
|
|
services:
|
|
- http
|
|
- zabbixcustom
|
|
- https
|
|
- ssh
|
|
- salt-minion
|
|
rich_rules:
|
|
- family: ipv4
|
|
source:
|
|
address: 8.8.8.8/24
|
|
accept: true
|
|
- family: ipv4
|
|
ipset:
|
|
name: fail2ban-ssh
|
|
reject:
|
|
type: icmp-port-unreachable
|
|
ports:
|
|
{% if grains['id'] == 'salt.example.com' %}
|
|
- comment: salt-master
|
|
port: 4505
|
|
protocol: tcp
|
|
- comment: salt-python
|
|
port: 4506
|
|
protocol: tcp
|
|
{% endif %}
|
|
- comment: zabbix-agent
|
|
port: 10050
|
|
protocol: tcp
|
|
- comment: bacula-client
|
|
port: 9102
|
|
protocol: tcp
|
|
- comment: vsftpd
|
|
port: 21
|
|
protocol: tcp
|
|
|
|
direct:
|
|
chain:
|
|
MYCHAIN:
|
|
ipv: ipv4
|
|
table: raw
|
|
rule:
|
|
INTERNETACCESS:
|
|
ipv: ipv4
|
|
table: filter
|
|
chain: FORWARD
|
|
priority: "0"
|
|
args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
|
|
passthrough:
|
|
MYPASSTHROUGH:
|
|
ipv: ipv4
|
|
args: "-t raw -A MYCHAIN -j DROP"
|
|
|