tlu/salt/states/firewalld/init.sls

Start firewalld:
  service.running:
    - name: firewalld
    - enable: True

Configure wireguard service:
  firewalld.service:
    - name: wireguard
    - ports:
      - {{ pillar['wireguard']['port'] }}/udp

Configure container registry service:
  firewalld.service:
    - name: registry
    - ports:
      - 5000/tcp

Configure firewalld for external interface:
  firewalld.present:
    - name: external
    - masquerade: True
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      - {{ pillar['network']['external'] }}
    - services:
      - ssh
      - wireguard

Configure firewalld for internal network:
  firewalld.present:
    - name: internal
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      - {{ pillar['network']['interface'] }}
      - {{ pillar['wireguard']['iface'] }}
      - {{ pillar['network']['wireless'] }}
      - {{ pillar['network']['bridge'] }}
    - sources:
      - {{ pillar['network']['ip'][0:-1] }}0/24
    - services:
      - ssh
      - dhcp
      - tftp
      - http
      - https
      - dns
      - ntp
      - registry
      - nfs
      - nfs3

Configure firewalld for public networks:
  firewalld.present:
    - name: public
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      {% for vlan in pillar['network']['vlan'] -%}
      {% if vlan['zone'] == 'public' -%}
      - vlan.{{ vlan['id'] }}
      {% endif -%}
      {% endfor %}
    - sources:
      {% for vlan in pillar['network']['vlan'] -%}
      {% set ip = vlan['address'] -%}
      {% if vlan['zone'] == 'public' -%}
      - {{ ip[0:-1] }}0/24
      {% endif -%}
      {% endfor %}
    - services:
      - ssh
      - dhcp
      - tftp
      - http
      - https
      - dns
      - ntp
      - registry


Configure firewalld for airgap networks:
  firewalld.present:
    - name: airgap
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      {% for vlan in pillar['network']['vlan'] -%}
      {% if vlan['zone'] == 'airgap' -%}
      - vlan.{{ vlan['id'] }}
      {% endif -%}
      {% endfor %}
    - sources:
      {% for vlan in pillar['network']['vlan'] -%}
      {% set ip = vlan['address'] -%}
      {% if vlan['zone'] == 'airgap' -%}
      - {{ ip[0:-1] }}0/24
      {% endif -%}
      {% endfor %}
    - services:
      - ssh
      - dhcp
      - tftp
      - http
      - https
      - dns
      - ntp
      - registry

Add forwarding on Internal zone:
  cmd.run:
    - name: firewall-cmd --permanent --zone=internal --add-forward
    - unless: bash -c "if [[ \"$(firewall-cmd --zone=internal --list-all | sed -n 's/.* forward. \(.*\)$/\1/p')\" = \"yes\" ]]; then exit 0; else exit 1;fi"

Reload firewalld:
  cmd.run:
    - name: firewall-cmd --reload
    - onchanges:
      - cmd: Add forwarding on Internal zone
. 2021-10-17 18:03:37 +00:00			`Start firewalld:`
			`service.running:`
			`- name: firewalld`
			`- enable: True`

. 2021-10-12 13:00:09 +00:00			`Configure wireguard service:`
			`firewalld.service:`
			`- name: wireguard`
			`- ports:`
			`- {{ pillar['wireguard']['port'] }}/udp`

. 2021-10-18 13:00:39 +00:00			`Configure container registry service:`
			`firewalld.service:`
			`- name: registry`
			`- ports:`
			`- 5000/tcp`

states for firewalld and hostname 2021-09-22 14:33:46 +00:00			`Configure firewalld for external interface:`
			`firewalld.present:`
			`- name: external`
			`- masquerade: True`
			`- prune_ports: True`
			`- prune_services: True`
			`- prune_interfaces: True`
. 2021-09-23 09:50:53 +00:00			`- prune_sources: True`
states for firewalld and hostname 2021-09-22 14:33:46 +00:00			`- interfaces:`
. 2021-10-17 11:55:21 +00:00			`- {{ pillar['network']['external'] }}`
states for firewalld and hostname 2021-09-22 14:33:46 +00:00			`- services:`
			`- ssh`
. 2021-10-12 13:00:09 +00:00			`- wireguard`
states for firewalld and hostname 2021-09-22 14:33:46 +00:00
. 2021-09-23 09:23:59 +00:00			`Configure firewalld for internal network:`
states for firewalld and hostname 2021-09-22 14:33:46 +00:00			`firewalld.present:`
			`- name: internal`
			`- prune_ports: True`
			`- prune_services: True`
			`- prune_interfaces: True`
. 2021-09-23 09:50:53 +00:00			`- prune_sources: True`
states for firewalld and hostname 2021-09-22 14:33:46 +00:00			`- interfaces:`
. 2021-10-17 11:55:21 +00:00			`- {{ pillar['network']['interface'] }}`
. 2021-10-12 13:00:09 +00:00			`- {{ pillar['wireguard']['iface'] }}`
. 2021-10-17 11:55:21 +00:00			`- {{ pillar['network']['wireless'] }}`
			`- {{ pillar['network']['bridge'] }}`
. 2021-09-23 09:50:53 +00:00			`- sources:`
. 2021-10-17 11:55:21 +00:00			`- {{ pillar['network']['ip'][0:-1] }}0/24`
. 2021-09-23 09:23:59 +00:00			`- services:`
			`- ssh`
			`- dhcp`
			`- tftp`
			`- http`
			`- https`
			`- dns`
			`- ntp`
. 2021-10-18 13:00:39 +00:00			`- registry`
. 2021-11-18 12:59:40 +00:00			`- nfs`
			`- nfs3`
. 2021-09-23 09:23:59 +00:00
. 2021-10-17 11:55:21 +00:00			`Configure firewalld for public networks:`
. 2021-09-23 09:23:59 +00:00			`firewalld.present:`
. 2021-09-23 09:50:53 +00:00			`- name: public`
. 2021-09-23 09:23:59 +00:00			`- prune_ports: True`
			`- prune_services: True`
			`- prune_interfaces: True`
. 2021-09-23 09:50:53 +00:00			`- prune_sources: True`
. 2021-09-23 09:23:59 +00:00			`- interfaces:`
states for firewalld and hostname 2021-09-22 14:33:46 +00:00			`{% for vlan in pillar['network']['vlan'] -%}`
. 2021-10-17 11:55:21 +00:00			`{% if vlan['zone'] == 'public' -%}`
states for firewalld and hostname 2021-09-22 14:33:46 +00:00			`- vlan.{{ vlan['id'] }}`
. 2021-10-17 11:55:21 +00:00			`{% endif -%}`
states for firewalld and hostname 2021-09-22 14:33:46 +00:00			`{% endfor %}`
. 2021-09-23 09:50:53 +00:00			`- sources:`
			`{% for vlan in pillar['network']['vlan'] -%}`
			`{% set ip = vlan['address'] -%}`
. 2021-10-17 11:55:21 +00:00			`{% if vlan['zone'] == 'public' -%}`
			`- {{ ip[0:-1] }}0/24`
			`{% endif -%}`
			`{% endfor %}`
			`- services:`
			`- ssh`
			`- dhcp`
			`- tftp`
			`- http`
			`- https`
			`- dns`
			`- ntp`
. 2021-10-18 13:00:39 +00:00			`- registry`
. 2021-10-17 11:55:21 +00:00

			`Configure firewalld for airgap networks:`
			`firewalld.present:`
			`- name: airgap`
			`- prune_ports: True`
			`- prune_services: True`
			`- prune_interfaces: True`
			`- prune_sources: True`
			`- interfaces:`
			`{% for vlan in pillar['network']['vlan'] -%}`
			`{% if vlan['zone'] == 'airgap' -%}`
			`- vlan.{{ vlan['id'] }}`
			`{% endif -%}`
			`{% endfor %}`
			`- sources:`
			`{% for vlan in pillar['network']['vlan'] -%}`
			`{% set ip = vlan['address'] -%}`
			`{% if vlan['zone'] == 'airgap' -%}`
			`- {{ ip[0:-1] }}0/24`
			`{% endif -%}`
. 2021-09-23 09:50:53 +00:00			`{% endfor %}`
states for firewalld and hostname 2021-09-22 14:33:46 +00:00			`- services:`
			`- ssh`
			`- dhcp`
			`- tftp`
			`- http`
			`- https`
			`- dns`
			`- ntp`
. 2021-10-18 13:00:39 +00:00			`- registry`
. 2021-10-14 11:58:28 +00:00
			`Add forwarding on Internal zone:`
			`cmd.run:`
			`- name: firewall-cmd --permanent --zone=internal --add-forward`
			`- unless: bash -c "if [[ \"$(firewall-cmd --zone=internal --list-all \| sed -n 's/.* forward. \(.*\)$/\1/p')\" = \"yes\" ]]; then exit 0; else exit 1;fi"`

			`Reload firewalld:`
			`cmd.run:`
			`- name: firewall-cmd --reload`
			`- onchanges:`
			`- cmd: Add forwarding on Internal zone`