From 15fd4de669498a5198c388913e89d1e831ecc254 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 9 Jun 2020 13:44:10 -0400 Subject: [PATCH] remove yamlized rules, update assigned hostgroups - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641 --- salt/firewall/assigned_hostgroups.map.yaml | 26 +++++++++++ salt/firewall/init.sls | 51 ---------------------- 2 files changed, 26 insertions(+), 51 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 3cab69f69..a564942e1 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -336,16 +336,28 @@ role: - {{ portgroups.elasticsearch_node }} INPUT: hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} dockernet: portgroups: - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} sensor: chain: INPUT: hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} dockernet: portgroups: - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} heavynode: chain: DOCKER-USER: @@ -355,6 +367,14 @@ role: - {{ portgroups.redis }} - {{ portgroups.beats_5044 }} - {{ portgroups.beats_5644 }} + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + localhost: + portgroups: + - {{ portgroups.all }} fleet: chain: DOCKER-USER: @@ -373,6 +393,12 @@ role: - {{ portgroups.fleet_webui }} INPUT: hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} dockernet: + portgroups: + - {{ portgroups.all }} + localhost: portgroups: - {{ portgroups.all }} \ No newline at end of file diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 781feb495..12e6366a7 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,17 +1,4 @@ # Firewall Magic for the grid -{% if grains['role'] in ['so-eval','so-master','so-helix','so-mastersearch', 'so-standalone'] %} - {% set ip = salt['pillar.get']('static:masterip', '') %} -{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %} - {% set ip = salt['pillar.get']('node:mainip', '') %} -{% elif grains['role'] == 'so-sensor' %} - {% set ip = salt['pillar.get']('sensor:mainip', '') %} -{% elif grains['role'] == 'so-fleet' %} - {% set ip = salt['pillar.get']('node:mainip', '') %} -{% endif %} - -{% set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} -{% set FLEET_NODE_IP = salt['pillar.get']('static:fleet_ip') %} - {% from 'firewall/map.jinja' import hostgroups with context %} {% from 'firewall/map.jinja' import assigned_hostgroups with context %} {% set role = grains.id.split('_') | last %} @@ -31,15 +18,6 @@ iptables_fix_fwd: - position: 1 - target: DOCKER-USER -# Keep localhost in the game -iptables_allow_localhost: - iptables.append: - - table: filter - - chain: INPUT - - jump: ACCEPT - - source: 127.0.0.1 - - save: True - # Allow related/established sessions iptables_allow_established: iptables.append: @@ -50,16 +28,6 @@ iptables_allow_established: - ctstate: 'RELATED,ESTABLISHED' - save: True -# Always allow SSH so we can like log in -iptables_allow_ssh: - iptables.append: - - table: filter - - chain: INPUT - - jump: ACCEPT - - dport: 22 - - proto: tcp - - save: True - # I like pings iptables_allow_pings: iptables.append: @@ -117,25 +85,6 @@ enable_docker_user_established: - match: conntrack - ctstate: 'RELATED,ESTABLISHED' -# Rules if you are a Master -{% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %} - -# Allow Fleet Node to send its beats traffic -{% if FLEET_NODE %} -enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ FLEET_NODE_IP }} - - dport: 5644 - - position: 1 - - save: True -{% endif %} - -{% endif %} - {% for chain, hg in assigned_hostgroups.role[role].chain.items() %} {% for hostgroup, portgroups in assigned_hostgroups.role[role].chain[chain].hostgroups.items() %} {% for action in ['insert', 'delete' ] %}