forked from webscale-formulas/ufw-formula
-
Notifications
You must be signed in to change notification settings - Fork 36
/
pillar.example
118 lines (100 loc) · 2.46 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
ufw:
enabled: true
settings:
loglevel: low
ipv6: true
default_input_policy: 'DROP'
default_output_policy: 'ACCEPT'
default_forward_policy: 'DROP'
default_application_policy: 'SKIP'
manage_builtins: false
ipt_sysctl: '/etc/ufw/sysctl.conf'
ipt_modules:
- nf_conntrack_ftp
- nf_nat_ftp
- nf_conntrack_netbios_ns
sysctl:
forwarding: 1
rp_filter: 1
accept_source_route: 0
accept_redirects: 0
icmp_echo_ignore_broadcasts: 1
icmp_ignore_bogus_error_responses: 1
icmp_echo_ignore_all: 0
log_martians: 0
tcp_syncookies: 0
tcp_sack: 1
ipv6_autoconf: 1
use_tempaddr: 1
services:
# Allow 80/tcp (http) traffic from only two remote addresses.
http:
protocol: tcp
from_addr:
- 10.0.2.15
- 10.0.2.16
comment: Upstream loadbalancers
# Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip.
https:
protocol: tcp
from_addr:
- 10.0.0.0/8
to_addr: 10.0.2.1
comment: Intraweb portal
# Allow from a service port.
smtp:
protocol: tcp
comment: Mail relay
# Allow from a specific port, by number.
139:
protocol: tcp
comment: Netbios
# Deny from a specific port, by number.
140:
protocol: tcp
deny: true
# Deny everything from a specific ip address
'*':
protocol: tcp
deny: true
from_addr: 10.0.0.1
# Deny everything from multiple ip addresses and avoid
# conflicts with already defined service '*'
'*/multiple':
to_port: '*'
protocol: tcp
deny: true
from_addr:
- 10.0.0.2
- 10.0.0.3
# Limit a specific port, by number.
170:
limit: true
protocol: tcp
comment: Print service
# Allow from a range of ports, udp.
"10000:20000":
protocol: udp
comment: We need ports, lots of ports
# Allow from two specific ports, udp.
"30000,40000":
protocol: udp
comment: Game server and admin
# Allow applications defined at /etc/ufw/applications.d/
applications:
OpenSSH:
enabled: true
comment: We are using fail2ban anyway
# Limit access to salt master
Saltmaster:
limit: true
# Deny access to Postgresql
Postgresql:
deny: true
# Allow all traffic in on the specified interface
interfaces:
eth1:
comment: Honey pot