tlu/salt/states/firewalld/init.sls

109 lines
2.6 KiB
Plaintext
Raw Permalink Normal View History

2021-10-17 18:03:37 +00:00
Start firewalld:
service.running:
- name: firewalld
- enable: True
2021-10-12 13:00:09 +00:00
Configure wireguard service:
firewalld.service:
- name: wireguard
- ports:
- {{ pillar['wireguard']['port'] }}/udp
2021-10-18 13:00:39 +00:00
Configure container registry service:
firewalld.service:
- name: registry
- ports:
- 5000/tcp
2021-09-22 14:33:46 +00:00
Configure firewalld for external interface:
firewalld.present:
- name: external
- masquerade: True
- prune_ports: True
- prune_services: True
- prune_interfaces: True
2021-09-23 09:50:53 +00:00
- prune_sources: True
2021-09-22 14:33:46 +00:00
- interfaces:
2021-10-17 11:55:21 +00:00
- {{ pillar['network']['external'] }}
2021-09-22 14:33:46 +00:00
- services:
- ssh
2021-10-12 13:00:09 +00:00
- wireguard
2021-09-22 14:33:46 +00:00
2021-11-24 15:00:00 +00:00
Configure firewalld for public networks:
2021-09-22 14:33:46 +00:00
firewalld.present:
2021-11-24 15:00:00 +00:00
- name: public
2021-09-22 14:33:46 +00:00
- prune_ports: True
- prune_services: True
- prune_interfaces: True
2021-09-23 09:50:53 +00:00
- prune_sources: True
2021-09-22 14:33:46 +00:00
- interfaces:
2021-10-17 11:55:21 +00:00
- {{ pillar['network']['interface'] }}
2021-10-12 13:00:09 +00:00
- {{ pillar['wireguard']['iface'] }}
2021-10-17 11:55:21 +00:00
- {{ pillar['network']['wireless'] }}
- {{ pillar['network']['bridge'] }}
2021-09-22 14:33:46 +00:00
{% for vlan in pillar['network']['vlan'] -%}
2021-10-17 11:55:21 +00:00
{% if vlan['zone'] == 'public' -%}
2021-09-22 14:33:46 +00:00
- vlan.{{ vlan['id'] }}
2021-10-17 11:55:21 +00:00
{% endif -%}
2021-09-22 14:33:46 +00:00
{% endfor %}
2021-09-23 09:50:53 +00:00
- sources:
2021-11-24 15:00:00 +00:00
- {{ pillar['network']['ip'][0:-1] }}0/24
2021-09-23 09:50:53 +00:00
{% for vlan in pillar['network']['vlan'] -%}
{% set ip = vlan['address'] -%}
2021-10-17 11:55:21 +00:00
{% if vlan['zone'] == 'public' -%}
- {{ ip[0:-1] }}0/24
{% endif -%}
{% endfor %}
- services:
- ssh
- dhcp
- tftp
- http
- https
- dns
- ntp
2021-10-18 13:00:39 +00:00
- registry
2021-11-24 15:00:00 +00:00
- nfs
- nfs3
2021-10-17 11:55:21 +00:00
Configure firewalld for airgap networks:
firewalld.present:
- name: airgap
- prune_ports: True
- prune_services: True
- prune_interfaces: True
- prune_sources: True
- interfaces:
{% for vlan in pillar['network']['vlan'] -%}
{% if vlan['zone'] == 'airgap' -%}
- vlan.{{ vlan['id'] }}
{% endif -%}
{% endfor %}
- sources:
{% for vlan in pillar['network']['vlan'] -%}
{% set ip = vlan['address'] -%}
{% if vlan['zone'] == 'airgap' -%}
- {{ ip[0:-1] }}0/24
{% endif -%}
2021-09-23 09:50:53 +00:00
{% endfor %}
2021-09-22 14:33:46 +00:00
- services:
- ssh
- dhcp
- tftp
- http
- https
- dns
- ntp
2021-10-18 13:00:39 +00:00
- registry
2021-10-14 11:58:28 +00:00
Add forwarding on Internal zone:
cmd.run:
2021-11-24 15:00:00 +00:00
- name: firewall-cmd --permanent --zone=public --add-forward
- unless: bash -c "if [[ \"$(firewall-cmd --zone=public --list-all | sed -n 's/.* forward. \(.*\)$/\1/p')\" = \"yes\" ]]; then exit 0; else exit 1;fi"
2021-10-14 11:58:28 +00:00
Reload firewalld:
cmd.run:
- name: firewall-cmd --reload
- onchanges:
- cmd: Add forwarding on Internal zone