mc_firewalld / firewalld functions¶
-
mc_states.modules.mc_firewalld.
add_aliased_interfaces
(data=None)¶ Mark aliases of interfaces to belong to the same interface of the attached interface, by default
-
mc_states.modules.mc_firewalld.
add_natted_networks
(data=None)¶ Add nat rules if possible on non public zones
-
mc_states.modules.mc_firewalld.
complete_rich_rules
(rules=None, rule=None, family=None, destinations=None, icmp_block=None, masquerade=None, sources=None, protocols=None, ports=None, forward_ports=None, services=None, endrule=None, audit=None, log=None, log_prefix=None, log_level=None, limit=None, action=None)¶ Subroutine of the rich rule helper
-
mc_states.modules.mc_firewalld.
rich_rules
(family='ipv4', sources=None, source=None, destinations=None, destination=None, services=None, service=None, ports=None, port=None, audit=None, log=None, log_prefix=None, log_level=None, forward_ports=None, forward_port=None, limit=None, icmp_block=None, masquerade=False, action='accept', public_ips=None, protocols=None)¶ Helper to generate rich rules compatibles with firewalld
see firewalld.richlanguage(5) (man)
- public_ips
firewalld does make special forward rules relying on packet marking whenever they macth the port and the source/dest. This means that it will remap all traffic from an aforementioned rule matching this port on the public zone to be reentrant and goes to the destination of the rule instead of the real destination. Thus to correctly NAT services without limiting outgoing traffic on the same ports from network branches withing the NAT, we limit the exposure of the target rules to the public facing ips of the underlying host. This also means, that logically, as nearly always with natted services, network access points from within the NAT cant access the services as if they would be outside of the NAT. Technically speaking, in case of forward ports, we only apply the rule on the public facing address (aka addresses of interfaces which are linked to the public zones) by limitating the rule scopes to those destinations.
public_ips is indeed a list of ips, which if empty or None will be computed from host network informations.
To disable destinations restrictions, you can set public_ips to False.
rich_rules(forward_port={'port': '12', addr='1.2.3.4'}, port='22') rich_rules(forward_port={'port': '12', addr='1.2.3.4'}, port='22'}, destination='x.x.x.x') rich_rules(masquerade=True, source='x.x.x.x', dest='x.x.x.x') rich_rules(source='address="1.2.3.4"', port='22', action='drop') rich_rules(destination='address="1.2.3.4"', port='22', audit=True, action='drop') rich_rules(destination='address="1.2.3.4"', port={'port': '22', 'protocol': 'tcp'}) rich_rules(destination='address="1.2.3.4"', port='22', audit=True, action='drop')
-
mc_states.modules.mc_firewalld.
search_aliased_interfaces
(data=None)¶ Add public interfaces as candidates for aliased zones to support common IP Failover scenarii
-
mc_states.modules.mc_firewalld.
settings
()¶ firewalld settings
- makina-states.services.firewalld.enabled
- set to true to activate firewalld
- DESIGN
- all services & forwardport & ports & etc are setted via rich rules to allow fine-graines selections of source and destination variations.
GLOBAL SETTINGS
- permissive_mode
- force all traffic to be accepted
- allow_local
- force all traffic from rfc1918 to be accepted
- public_interfaces
- internet faced interfaces
- internal_interfaces
- interfaces wired to internal network with no much restriction
- public_services
- services to allow
- restricted_services
- services to block
- <XXX>-direct
- direct rules
- <XXX>-passthrough
- direct/passthrough rules (not implemented yet)
- services
- list of services to deine
- zones
- mapping of zones definitions
PER ZONE SETTINGS
You can configure zone settings via via entries in the zone pillar
- default_policy
- enforce policy, attention in firewalld world, everything is dropped if no match, so no need to force reject. Its even harmful as it wont cut any further rich rules to have a change to apply !
- interfaces
- interfaces to add to the zone
- XXX-rules
- rich rules
For exmeple, to Add some rich rules in pillar to a zone, all
makina-states.services.firewall.firewalld.zones.public.rules<id>
are mergedmakina-states.services.firewall.firewalld.zones.public.rules-foo: {% for i in salt['mc_firewalld.rich_rules']( port=22, action='drop' )- {{i}} {% endfor %} {% for i in salt['mc_firewalld.rich_rules']( forward_port={'port': 1122, 'to_addr': '1.2.3.4', 'to_port'=22} )- {{i}} {% endfor %} makina-states.services.firewall.firewalld.zones.public.rules-bar: - "rule service name="ftp" log limit value="1/m" audit accept" {% for i in salt['mc_firewalld.rich_rules']( port=22, destinations=['127.0.0.1'], action='drop' )- {{i}} {% endfor %} {% for i in salt['mc_firewalld.rich_rules']( port=22, destinations=['not address="127.0.0.2"'], action='drop' )- {{i}} {% endfor %}
Whitelist some services:
makina-states.services.firewall.firewalld.public_services-append: - smtp
Change whitelisted services:
makina-states.services.firewall.firewalld.public_services: [http]
Define a new service:
makina-states.services.firewall.firewalld.services.foo: port: [{protocol: tcp, port: 2222}]
- NOTE
- DO NOT ACTIVATE MASQUERADING, IT IS TOO MUCH CATCHY
- PLEASE USE APPROPRIATE RESTRICTIVES RICH MASQUERADE RULES