firewalld-formula/pillar.example
2018-08-25 19:05:21 -03:00

123 lines
3.1 KiB
Plaintext

# FirewallD pillar examples:
firewalld:
enabled: True
ipset:
manage: True
pkg: ipset
# ipset: # Deprecated. Support for this format will be removed in future releases
# ipsetpackag: ipset # Deprecated. Will be removed in future releases
backend:
manage: True
pkg: nftables
# installbackend: True # Deprecated. Will be removed in future releases
# backendpackage: nftables # Deprecated. Will be removed in future releases
default_zone: public
services:
sshcustom:
short: sshcustom
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
ports:
tcp:
- 3232
- 5252
modules:
- some_module_to_load
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
zabbixcustom:
short: Zabbixcustom
description: "zabbix custom rule"
ports:
tcp:
- "10051"
salt-minion:
short: salt-minion
description: "salt-minion"
ports:
tcp:
- "8000"
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset
type: 'hash:ip'
options:
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 10.0.0.1
zones:
public:
short: Public
description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
services:
- http
- zabbixcustom
- https
- ssh
- salt-minion
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports:
{% if grains['id'] == 'salt.example.com' %}
- comment: salt-master
port: 4505
protocol: tcp
- comment: salt-python
port: 4506
protocol: tcp
{% endif %}
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
rule:
INTERNETACCESS:
ipv: ipv4
table: filter
chain: FORWARD
priority: "0"
args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
passthrough:
MYPASSTHROUGH:
ipv: ipv4
args: "-t raw -A MYCHAIN -j DROP"