diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml index 3f30fc367..9a758161c 100644 --- a/files/firewall/assigned_hostgroups.local.map.yaml +++ b/files/firewall/assigned_hostgroups.local.map.yaml @@ -1,8 +1,8 @@ -{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %} -{% set default_portgroups = default_portgroups.firewall.aliases.ports %} +{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} +{% set default_portgroups = default_portgroups.firewall.ports %} {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} -{% if local_portgroups.firewall.aliases.ports %} - {% set local_portgroups = local_portgroups.firewall.aliases.ports %} +{% if local_portgroups.firewall.ports %} + {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} {% set local_portgroups = {} %} {% endif %} diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index a25265c77..f12cfc634 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -1,7 +1,7 @@ {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} -{% import_yaml 'firewall/portgroups.yaml' as portgroups %} -{% set portgroups = portgroups.firewall.aliases.ports %} -{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} +{% import_yaml 'firewall/ports/ports.yaml' as portgroups %} +{% set portgroups = portgroups.firewall.ports %} +{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %} role: eval: @@ -14,16 +14,11 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} @@ -34,12 +29,10 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -90,19 +83,14 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} {% if ISAIRGAP is sameas true %} - {{ portgroups.agrules }} {% endif %} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} @@ -116,13 +104,11 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} self: @@ -170,16 +156,11 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} @@ -191,12 +172,10 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -247,16 +226,11 @@ role: - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} @@ -268,12 +242,10 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} heavynodes: portgroups: - {{ portgroups.redis }} - - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -328,14 +300,10 @@ role: - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} - - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - - {{ portgroups.cortex_es_rest }} - - {{ portgroups.cortex_es_node }} minion: portgroups: - - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} - {{ portgroups.sensoroni }} diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml new file mode 100644 index 000000000..d34a4bc0d --- /dev/null +++ b/salt/firewall/hostgroups.yaml @@ -0,0 +1,23 @@ +{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} +firewall: + hostgroups: + anywhere: + ips: + delete: + insert: + - 0.0.0.0/0 + dockernet: + ips: + delete: + insert: + - {{ DNET }}/24 + localhost: + ips: + delete: + insert: + - 127.0.0.1 + self: + ips: + delete: + insert: + - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} diff --git a/salt/firewall/hostgroups/analyst_workstation b/salt/firewall/hostgroups/analyst_workstations similarity index 100% rename from salt/firewall/hostgroups/analyst_workstation rename to salt/firewall/hostgroups/analyst_workstations diff --git a/salt/firewall/hostgroups/heavynode b/salt/firewall/hostgroups/heavynodes similarity index 100% rename from salt/firewall/hostgroups/heavynode rename to salt/firewall/hostgroups/heavynodes diff --git a/salt/firewall/hostgroups/receiver b/salt/firewall/hostgroups/receivers similarity index 100% rename from salt/firewall/hostgroups/receiver rename to salt/firewall/hostgroups/receivers diff --git a/salt/firewall/hostgroups/searchnode b/salt/firewall/hostgroups/searchnodes similarity index 100% rename from salt/firewall/hostgroups/searchnode rename to salt/firewall/hostgroups/searchnodes diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 45e2989e2..0cce4cd99 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -4,8 +4,8 @@ {% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} {% set default_portgroups = default_portgroups.firewall.ports %} {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} -{% if local_portgroups.firewall.aliases.ports %} - {% set local_portgroups = local_portgroups.firewall.aliases.ports %} +{% if local_portgroups.firewall.ports %} + {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} {% set local_portgroups = {} %} {% endif %}