saltstack-formulas / iptables-formula Goto Github PK
View Code? Open in Web Editor NEWHome Page: http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html
License: Other
Home Page: http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html
License: Other
Hi,
just looking through your configs, and noticed this:
https://github.com/saltstack-formulas/iptables-formula/blob/master/pillar.example#L22
It would be a great feature to have the iptables.delete
function integrated. You can't delete old firewall entries with this formula, yet.
commit 0e5ad0eb7a7b955414363a0abdb05fd484fd0bcc
Different to last commit only:
commit df5e9f3a53cae819cade8d01be6e12e5b3d6aaa4 (HEAD -> master, tag: v0.17.2, origin/master, origin/HEAD)
"* **debian:** ensure `netbase` package is installed "
Master:
Salt Version:
Salt: 3000
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.7.3
docker-py: Not Installed
Mako: Not Installed
pycparser: 2.19
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: 0.27.4
Python: 3.7.3 (default, Dec 20 2019, 18:57:59)
python-gnupg: Not Installed
PyZMQ: 17.1.2
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.1
System Versions:
dist: debian 10.3
locale: UTF-8
machine: i686
release: 4.19.0-8-686-pae
system: Linux
version: debian 10.3
Minion:
Salt Version:
Salt: 2018.3.4
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.7.3
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.10
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: 3.6.1
pygit2: Not Installed
Python: 3.7.3 (default, Dec 20 2019, 18:57:59)
python-gnupg: Not Installed
PyYAML: 3.13
PyZMQ: 17.1.2
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.1
System Versions:
dist: debian 10.3
locale: UTF-8
machine: i686
release: 4.19.0-8-686
system: Linux
version: debian 10.3
firewall:
install: True
enabled: True
strict: True
use_tables: True
ipv6: False
Problem in iptables.set_policy state, it not save automatically changes to file /etc/iptables/rules.v4
And it reset to default after reboot.
pillar.sls:
firewall:
install: True
enabled: True
strict: True
use_tables: True
ipv6: False
root@eeebox1test:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 775 packets, 83519 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
985 209K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1134 packets, 155K bytes)
pkts bytes target prot opt in out source destination
root@eeebox1test:~# cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Wed Apr 15 21:27:26 2020
*filter
:INPUT ACCEPT [13:902]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [138:20324]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Apr 15 21:27:26 2020
root@eeebox1test:~# salt-call -l debug state.apply iptables
[DEBUG ] Reading configuration from /etc/salt/minion
[DEBUG ] Including configuration from '/etc/salt/minion.d/_schedule.conf'
[DEBUG ] Reading configuration from /etc/salt/minion.d/_schedule.conf
[DEBUG ] Including configuration from '/etc/salt/minion.d/master.conf'
[DEBUG ] Reading configuration from /etc/salt/minion.d/master.conf
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: eeebox1test
[DEBUG ] Configuration file path: /etc/salt/minion
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG ] Grains refresh requested. Refreshing grains.
[DEBUG ] Reading configuration from /etc/salt/minion
[DEBUG ] Including configuration from '/etc/salt/minion.d/_schedule.conf'
[DEBUG ] Reading configuration from /etc/salt/minion.d/_schedule.conf
[DEBUG ] Including configuration from '/etc/salt/minion.d/master.conf'
[DEBUG ] Reading configuration from /etc/salt/minion.d/master.conf
[DEBUG ] Please install 'virt-what' to improve results of the 'virtual' grain.
[DEBUG ] Connecting to master. Attempt 1 of 1
[DEBUG ] Master URI: tcp://192.168.1.10:4506
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Generated random reconnect delay between '1000ms' and '11000ms' (10839)
[DEBUG ] Setting zmq_reconnect_ivl to '10839ms'
[DEBUG ] Setting zmq_reconnect_ivl_max to '11000ms'
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'clear')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] salt.crypt.get_rsa_pub_key: Loading public key
[DEBUG ] Decrypting the current master AES key
[DEBUG ] salt.crypt.get_rsa_key: Loading private key
[DEBUG ] salt.crypt._get_key_with_evict: Loading private key
[DEBUG ] Loaded minion key: /var/lib/salt/pki/minion/minion.pem
[DEBUG ] salt.crypt.get_rsa_pub_key: Loading public key
[DEBUG ] Connecting the Minion to the Master publish port, using the URI: tcp://192.168.1.10:4505
[DEBUG ] salt.crypt.get_rsa_key: Loading private key
[DEBUG ] Loaded minion key: /var/lib/salt/pki/minion/minion.pem
[DEBUG ] Determining pillar cache
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'aes')
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] salt.crypt.get_rsa_key: Loading private key
[DEBUG ] Loaded minion key: /var/lib/salt/pki/minion/minion.pem
[DEBUG ] LazyLoaded jinja.render
[DEBUG ] LazyLoaded yaml.render
[DEBUG ] LazyLoaded state.apply
[DEBUG ] LazyLoaded saltutil.is_running
[DEBUG ] LazyLoaded grains.get
[DEBUG ] LazyLoaded config.get
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'aes')
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] Gathering pillar data for state run
[DEBUG ] Finished gathering pillar data for state run
[INFO ] Loading fresh modules for state activity
[DEBUG ] LazyLoaded jinja.render
[DEBUG ] LazyLoaded yaml.render
[DEBUG ] Could not find file 'salt://iptables.sls' in saltenv 'base'
[DEBUG ] In saltenv 'base', looking at rel_path 'iptables/init.sls' to resolve 'salt://iptables/init.sls'
[DEBUG ] In saltenv 'base', ** considering ** path '/var/cache/salt/minion/files/base/iptables/init.sls' to resolve 'salt://iptables/init.sls'
[DEBUG ] compile template: /var/cache/salt/minion/files/base/iptables/init.sls
[DEBUG ] Jinja search path: ['/var/cache/salt/minion/files/base']
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'aes')
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] In saltenv 'base', looking at rel_path 'iptables/map.jinja' to resolve 'salt://iptables/map.jinja'
[DEBUG ] In saltenv 'base', ** considering ** path '/var/cache/salt/minion/files/base/iptables/map.jinja' to resolve 'salt://iptables/map.jinja'
[DEBUG ] In saltenv 'base', looking at rel_path 'iptables/defaults.yaml' to resolve 'salt://iptables/defaults.yaml'
[DEBUG ] In saltenv 'base', ** considering ** path '/var/cache/salt/minion/files/base/iptables/defaults.yaml' to resolve 'salt://iptables/defaults.yaml'
[DEBUG ] In saltenv 'base', looking at rel_path 'iptables/osfamilymap.yaml' to resolve 'salt://iptables/osfamilymap.yaml'
[DEBUG ] In saltenv 'base', ** considering ** path '/var/cache/salt/minion/files/base/iptables/osfamilymap.yaml' to resolve 'salt://iptables/osfamilymap.yaml'
[DEBUG ] LazyLoaded grains.filter_by
[DEBUG ] LazyLoaded pillar.get
[PROFILE ] Time (in seconds) to render '/var/cache/salt/minion/files/base/iptables/init.sls' using 'jinja' renderer: 0.2414865493774414
[DEBUG ] Rendered data from file: /var/cache/salt/minion/files/base/iptables/init.sls:
# -*- coding: utf-8 -*-
# vim: ft=sls
# Firewall management module
# Install required packages for firewalling
iptables_packages:
pkg.installed:
- pkgs:
- iptables
- iptables-persistent
# If the firewall is set to strict mode, we'll need to allow some
# that always need access to anything
iptables_allow_localhost:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- source: 127.0.0.1
- save: True
# Allow related/established sessions
iptables_allow_established:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: conntrack
- ctstate: 'RELATED,ESTABLISHED'
- save: True
# Set the policy to deny everything unless defined
enable_reject_policy:
iptables.set_policy:
- table: filter
- chain: INPUT
- policy: DROP
- require:
- iptables: iptables_allow_localhost
- iptables: iptables_allow_established
[DEBUG ] Results of YAML rendering:
OrderedDict([('iptables_packages', OrderedDict([('pkg.installed', [OrderedDict([('pkgs', ['iptables', 'iptables-persistent'])])])])), ('iptables_allow_localhost', OrderedDict([('iptables.append', [OrderedDict([('table', 'filter')]), OrderedDict([('chain', 'INPUT')]), OrderedDict([('jump', 'ACCEPT')]), OrderedDict([('source', '127.0.0.1')]), OrderedDict([('save', True)])])])), ('iptables_allow_established', OrderedDict([('iptables.append', [OrderedDict([('table', 'filter')]), OrderedDict([('chain', 'INPUT')]), OrderedDict([('jump', 'ACCEPT')]), OrderedDict([('match', 'conntrack')]), OrderedDict([('ctstate', 'RELATED,ESTABLISHED')]), OrderedDict([('save', True)])])])), ('enable_reject_policy', OrderedDict([('iptables.set_policy', [OrderedDict([('table', 'filter')]), OrderedDict([('chain', 'INPUT')]), OrderedDict([('policy', 'DROP')]), OrderedDict([('require', [OrderedDict([('iptables', 'iptables_allow_localhost')]), OrderedDict([('iptables', 'iptables_allow_established')])])])])]))])
[PROFILE ] Time (in seconds) to render '/var/cache/salt/minion/files/base/iptables/init.sls' using 'yaml' renderer: 0.03357863426208496
[DEBUG ] LazyLoaded config.option
[DEBUG ] LazyLoaded pkg.install
[DEBUG ] LazyLoaded pkg.installed
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/decorators/signature.py:31: DeprecationWarning: `formatargspec` is deprecated since Python 3.5. Use `signature` and the `Signature` object directly
*salt.utils.args.get_function_argspec(original_function)
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/path.py:265: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working if not isinstance(exes, collections.Iterable):
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/decorators/signature.py:31: DeprecationWarning: `formatargspec` is deprecated since Python 3.5. Use `signature` and the `Signature` object directly
*salt.utils.args.get_function_argspec(original_function)
[DEBUG ] LazyLoaded systemd.booted
[DEBUG ] DSC: Only available on Windows systems
[DEBUG ] Module PSGet: Only available on Windows systems
[DEBUG ] LazyLoaded platform.is_windows
[DEBUG ] Could not LazyLoad pkg.ex_mod_init: 'pkg.ex_mod_init' is not available.
[INFO ] Running state [iptables_packages] at time 09:53:26.121972
[INFO ] Executing state pkg.installed for [iptables_packages]
[DEBUG ] Could not LazyLoad pkg.resolve_capabilities: 'pkg.resolve_capabilities' is not available.
[INFO ] Executing command ['dpkg-query', '--showformat', '${Status} ${Package} ${Version} ${Architecture}', '-W'] in directory '/root'
[DEBUG ] Could not LazyLoad pkg.normalize_name: 'pkg.normalize_name' is not available.
[INFO ] All specified packages are already installed
[INFO ] Completed state [iptables_packages] at time 09:53:26.817299 (duration_in_ms=695.327)
[DEBUG ] LazyLoaded iptables.append
[INFO ] Running state [iptables_allow_localhost] at time 09:53:26.819312
[INFO ] Executing state iptables.append for [iptables_allow_localhost]
[INFO ] Executing command '/usr/sbin/iptables-save' in directory '/root'
[DEBUG ] stdout: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2038:265848]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[DEBUG ] output: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2038:265848]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[INFO ] iptables rule for iptables_allow_localhost already set (/usr/sbin/iptables --wait -t filter -A INPUT --source 127.0.0.1 --jump ACCEPT) for ipv4
[INFO ] Completed state [iptables_allow_localhost] at time 09:53:26.872745 (duration_in_ms=53.432)
[INFO ] Running state [iptables_allow_established] at time 09:53:26.873554
[INFO ] Executing state iptables.append for [iptables_allow_established]
[INFO ] Executing command '/usr/sbin/iptables-save' in directory '/root'
[DEBUG ] stdout: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2049:267828]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[DEBUG ] output: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2049:267828]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[INFO ] iptables rule for iptables_allow_established already set (/usr/sbin/iptables --wait -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT) for ipv4
[INFO ] Completed state [iptables_allow_established] at time 09:53:26.925164 (duration_in_ms=51.608) [INFO ] Running state [enable_reject_policy] at time 09:53:26.926718
[INFO ] Executing state iptables.set_policy for [enable_reject_policy]
[INFO ] Executing command '/usr/sbin/iptables-save' in directory '/root'
[DEBUG ] stdout: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2060:269816]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[DEBUG ] output: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2060:269816]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[INFO ] Executing command '/usr/sbin/iptables --wait -t filter -P INPUT DROP' in directory '/root'
[DEBUG ] output:
[INFO ] {'locale': 'enable_reject_policy'}
[INFO ] Completed state [enable_reject_policy] at time 09:53:26.957670 (duration_in_ms=30.95)
[DEBUG ] File /var/cache/salt/minion/accumulator/3008306028 does not exist, no need to cleanup
[DEBUG ] LazyLoaded state.check_result
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'aes')
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] LazyLoaded highstate.output
[DEBUG ] LazyLoaded nested.output
local:
----------
ID: iptables_packages
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 09:53:26.121972
Duration: 695.327 ms
Changes:
----------
ID: iptables_allow_localhost
Function: iptables.append
Result: True
Comment: iptables rule for iptables_allow_localhost already set (/usr/sbin/iptables --wait -t filter -A INPUT --source 127.0.0.1 --jump ACCEPT) for ipv4
Started: 09:53:26.819313
Duration: 53.432 ms
Changes:
----------
ID: iptables_allow_established
Function: iptables.append
Result: True
Comment: iptables rule for iptables_allow_established already set (/usr/sbin/iptables --wait -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT) for ipv4
Started: 09:53:26.873556
Duration: 51.608 ms
Changes:
----------
ID: enable_reject_policy
Function: iptables.set_policy
Result: True
Comment: Set default policy for INPUT to DROP family ipv4
Started: 09:53:26.926720
Duration: 30.95 ms
Changes:
----------
locale:
enable_reject_policy
Summary for local
------------
Succeeded: 4 (changed=1)
Failed: 0
------------
Total states run: 4
Total run time: 831.317 ms
root@eeebox1test:~#
root@eeebox1test:~# cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Wed Apr 15 21:27:26 2020
*filter
:INPUT ACCEPT [13:902]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [138:20324]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
root@eeebox1test:~# iptables -L -v -n
Chain INPUT (policy DROP 776 packets, 83767 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
1252 260K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1357 packets, 183K bytes)
pkts bytes target prot opt in out source destination
So if reboot server INPUT policy back to ACCEPT.
After iptables.set_policy need save changes to file.
To save chandges need run
root@eeebox1test:~# salt-call iptables.save
[WARNING ] /usr/lib/python3/dist-packages/salt/modules/file.py:32: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working from collections import Iterable, Mapping
local:
Wrote 1 lines to "/etc/iptables/rules.v4"
And now it saved correctly.
root@eeebox1test:~# iptables -L -v -n
Chain INPUT (policy DROP 777 packets, 83799 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
1388 278K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1473 packets, 197K bytes)
pkts bytes target prot opt in out source destination
root@eeebox1test:~# cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Thu Apr 16 09:49:45 2020
*filter
:INPUT DROP [777:83799]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1448:194307]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:49:45 2020
Hello,
It would be great to be able to configure icmp using this formula.
Could do something like:
firewall:
enabled: True
icmp:
ips_allow: 10.0.0.0/8
type:
- echo-request
- echo-reply
Thoughts?
When I use the simpliest config from readme, iptables rules are always appended and therefore always in "changed" state. Is this the intended behavior, or can be customized?
firewall:
install: True
enabled: True
strict: True
services:
ssh:
block_nomatch: False
ips_allow:
- 192.168.0.0/24
Versions report is
Salt: 2014.7.1
Python: 2.6.6 (r266:84292, Aug 12 2014, 07:57:07)
Jinja2: 2.6
M2Crypto: 0.20.1
msgpack-python: 0.1.10
msgpack-pure: Not Installed
pycrypto: 2.1.0
libnacl: Not Installed
PyYAML: 3.09
ioflo: Not Installed
PyZMQ: 13.1.0
RAET: Not Installed
ZMQ: 3.2.3
Mako: 0.7.0
OS is Debian squeeze.
I'd recommend, at least optionally via a pillar, being able to remove firewalld for e.g. CentOS/RHEL 7+:
You may also want to do the same for UFW for Ubuntu-based systems -- though it's not the system default, it can also cause runtime conflicts.
On 2016.11.5:
# salt 'ceetah1-staging' pillar.get firewall
ceetah1-staging:
----------
pillar.items
returns the correct pillar data. pillar.get worked on some of my other data. So, that's why I'm reporting here.
On 2016.11.6:
# salt 'ceetah1-staging' pillar.get firewall
ceetah1-staging:
----------
enabled:
True
install:
True
services:
----------
ssh:
----------
block_nomatch:
False
ips_allows:
- 192.168.1.0/24
protos:
- tcp
strict:
True
whitelist:
----------
networks:
----------
ips_allow:
- 192.168.1.0/24
Currently the creation of the chains is done in tandem with it's rules.
On top of that it alphabetically sorted on chain name, which requires using prefixes on chain names like "AA" or numbering.
This is inflexible with other tooling like sshguard.
firewall:
filter:
sshguard:
policy: ACCEPT
rules: {}
INPUT:
rules:
01_sshguard:
protocol: tcp
dport: 22
jump: sshguard
Would result in:
----------
ID: rule_filter_INPUT_01_sshguard
Function: iptables.append
Result: False
Comment: Failed to set iptables rule for rule_filter_INPUT_01_sshguard.
Attempted rule was /sbin/iptables --wait -t filter -A INPUT -p tcp --dport 22 --jump sshguard for ipv4
Started: 14:54:39.433678
Duration: 266.473 ms
Changes:
As the "s" get sorted after "I"
A more expected pattern would be that the pillar is merged and the order of inclusion is maintained.
The fix from https://github.com/mgomersbach/iptables-formula/tree/fix-chain-creation-order changes the order of chain creation to the pillar inclusion order and separates the loop of the rules so they can jump to other chains.
This formula completely ignores ipv6 leaving ip6tables open
This repository is missing a LICENSE
file. See https://github.com/saltstack-formulas/template-formula.
This config doesn't work:
firewall:
services:
ssh:
protos:
- udp
- tcp
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.