From 666e2271de959515c767a991646d592c72268def Mon Sep 17 00:00:00 2001
From: jonas <jonas.forsberg@suse.com>
Date: Wed, 24 Nov 2021 16:00:00 +0100
Subject: [PATCH] .

---
 salt/states/firewalld/init.sls | 34 +++++++---------------------------
 1 file changed, 7 insertions(+), 27 deletions(-)

diff --git a/salt/states/firewalld/init.sls b/salt/states/firewalld/init.sls
index 02d4a04..986c841 100644
--- a/salt/states/firewalld/init.sls
+++ b/salt/states/firewalld/init.sls
@@ -29,9 +29,9 @@ Configure firewalld for external interface:
       - ssh
       - wireguard
 
-Configure firewalld for internal network:
+Configure firewalld for public networks:
   firewalld.present:
-    - name: internal
+    - name: public
     - prune_ports: True
     - prune_services: True
     - prune_interfaces: True
@@ -41,34 +41,13 @@ Configure firewalld for internal network:
       - {{ pillar['wireguard']['iface'] }}
       - {{ pillar['network']['wireless'] }}
       - {{ pillar['network']['bridge'] }}
-    - sources:
-      - {{ pillar['network']['ip'][0:-1] }}0/24
-    - services:
-      - ssh
-      - dhcp
-      - tftp
-      - http
-      - https
-      - dns
-      - ntp
-      - registry
-      - nfs
-      - nfs3
-
-Configure firewalld for public networks:
-  firewalld.present:
-    - name: public
-    - prune_ports: True
-    - prune_services: True
-    - prune_interfaces: True
-    - prune_sources: True
-    - interfaces:
       {% for vlan in pillar['network']['vlan'] -%}
       {% if vlan['zone'] == 'public' -%}
       - vlan.{{ vlan['id'] }}
       {% endif -%}
       {% endfor %}
     - sources:
+      - {{ pillar['network']['ip'][0:-1] }}0/24
       {% for vlan in pillar['network']['vlan'] -%}
       {% set ip = vlan['address'] -%}
       {% if vlan['zone'] == 'public' -%}
@@ -84,7 +63,8 @@ Configure firewalld for public networks:
       - dns
       - ntp
       - registry
-
+      - nfs
+      - nfs3
 
 Configure firewalld for airgap networks:
   firewalld.present:
@@ -118,8 +98,8 @@ Configure firewalld for airgap networks:
 
 Add forwarding on Internal zone:
   cmd.run:
-    - name: firewall-cmd --permanent --zone=internal --add-forward
-    - unless: bash -c "if [[ \"$(firewall-cmd --zone=internal --list-all | sed -n 's/.* forward. \(.*\)$/\1/p')\" = \"yes\" ]]; then exit 0; else exit 1;fi"
+    - name: firewall-cmd --permanent --zone=public --add-forward
+    - unless: bash -c "if [[ \"$(firewall-cmd --zone=public --list-all | sed -n 's/.* forward. \(.*\)$/\1/p')\" = \"yes\" ]]; then exit 0; else exit 1;fi"
 
 Reload firewalld:
   cmd.run: