diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml index 9a758161c..07f389af0 100644 --- a/files/firewall/assigned_hostgroups.local.map.yaml +++ b/files/firewall/assigned_hostgroups.local.map.yaml @@ -1,6 +1,6 @@ {% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} {% set default_portgroups = default_portgroups.firewall.ports %} -{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} +{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %} {% if local_portgroups.firewall.ports %} {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml deleted file mode 100644 index c4ebc3613..000000000 --- a/files/firewall/hostgroups.local.yaml +++ /dev/null @@ -1,66 +0,0 @@ -firewall: - hostgroups: - analyst: - ips: - delete: - insert: - beats_endpoint: - ips: - delete: - insert: - beats_endpoint_ssl: - ips: - delete: - insert: - elasticsearch_rest: - ips: - delete: - insert: - elastic_agent_endpoint: - ips: - delete: - insert: - endgame: - ips: - delete: - insert: - fleet: - ips: - delete: - insert: - heavy_node: - ips: - delete: - insert: - idh: - ips: - delete: - insert: - manager: - ips: - delete: - insert: - node: - ips: - delete: - insert: - receiver: - ips: - delete: - insert: - search_node: - ips: - delete: - insert: - sensor: - ips: - delete: - insert: - strelka_frontend: - ips: - delete: - insert: - syslog: - ips: - delete: - insert: diff --git a/files/firewall/portgroups.local.yaml b/files/firewall/ports/ports.local.yaml similarity index 100% rename from files/firewall/portgroups.local.yaml rename to files/firewall/ports/ports.local.yaml diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml deleted file mode 100644 index d669d96e4..000000000 --- a/salt/firewall/hostgroups.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{% from 'docker/docker.map.jinja' import DOCKER %} -firewall: - hostgroups: - anywhere: - ips: - delete: - insert: - - 0.0.0.0/0 - dockernet: - ips: - delete: - insert: - - {{ DOCKER.sorange }} - localhost: - ips: - delete: - insert: - - 127.0.0.1 - self: - ips: - delete: - insert: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} diff --git a/salt/firewall/hostgroups/anywhere b/salt/firewall/hostgroups/anywhere new file mode 100644 index 000000000..b04387011 --- /dev/null +++ b/salt/firewall/hostgroups/anywhere @@ -0,0 +1 @@ +0.0.0.0/0 diff --git a/salt/firewall/hostgroups/dockernet b/salt/firewall/hostgroups/dockernet new file mode 100644 index 000000000..ccbd6e89c --- /dev/null +++ b/salt/firewall/hostgroups/dockernet @@ -0,0 +1,2 @@ +{% from 'docker/docker.map.jinja' import DOCKER -%} +{{ DOCKER.sorange }} diff --git a/salt/firewall/hostgroups/localhost b/salt/firewall/hostgroups/localhost new file mode 100644 index 000000000..7b9ad531d --- /dev/null +++ b/salt/firewall/hostgroups/localhost @@ -0,0 +1 @@ +127.0.0.1 diff --git a/salt/firewall/hostgroups/self b/salt/firewall/hostgroups/self new file mode 100644 index 000000000..488f25de4 --- /dev/null +++ b/salt/firewall/hostgroups/self @@ -0,0 +1,2 @@ +{% from 'vars/globals.map.jinja' import GLOBALS -%} +{{ GLOBALS.node_ip }} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 2fa295447..ea2d1b4e8 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -3,7 +3,7 @@ {% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} {% set default_portgroups = default_portgroups.firewall.ports %} -{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} +{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %} {% if local_portgroups.firewall.ports %} {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} @@ -12,36 +12,16 @@ {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %} {% set defined_portgroups = portgroups %} -{% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %} -{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#} {% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} -{% set hostgroup_list = [ - 'analyst', - 'analyst_workstations', - 'eval', - 'heavynodes', - 'idh', - 'manager', - 'managersearch', - 'receivers', - 'searchnodes', - 'sensors', - 'standalone', - 'beats_endpoint', - 'beats_endpoint_ssl', - 'elasticsearch_rest', - 'elastic_agent_endpoint', - 'endgame', - 'strelka_frontend', - 'syslog' - ] -%} + +{% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %} + {% for hg in hostgroup_list %} -{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %} -{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} +{% import_text hg as hg_ips %} +{% do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} {% endfor %} -{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %} +{% set hostgroups = local_hostgroups.firewall.hostgroups %} {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} {% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %} diff --git a/salt/firewall/portgroups/portgroups.yaml b/salt/firewall/portgroups/portgroups.yaml deleted file mode 100644 index 331b5e3f2..000000000 --- a/salt/firewall/portgroups/portgroups.yaml +++ /dev/null @@ -1,552 +0,0 @@ -role: - eval: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - elastic_agent_endpoint: - portgroups: - - elastic_agent_control - - elastic_agent_data - strelka_frontend: - portgroups: - - strelka_frontend - syslog: - portgroups: - - syslog - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - manager: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - - beats_5644 - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - - beats_5644 - self: - portgroups: - - syslog - syslog: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - endgame: - portgroups: - - endgame - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - managersearch: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - elastic_agent_endpoint: - portgroups: - - elastic_agent_control - - elastic_agent_data - endgame: - portgroups: - - endgame - syslog: - portgroups: - - syslog - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - standalone: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - elastic_agent_endpoint: - portgroups: - - elastic_agent_control - - elastic_agent_data - endgame: - portgroups: - - endgame - strelka_frontend: - portgroups: - - strelka_frontend - syslog: - portgroups: - - syslog - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - helixsensor: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - searchnode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - elasticsearch_node - - elasticsearch_rest - dockernet: - portgroups: - - elasticsearch_node - - elasticsearch_rest - elasticsearch_rest: - portgroups: - - elasticsearch_rest - search_node: - portgroups: - - elasticsearch_node - self: - portgroups: - - syslog - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - sensor: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - syslog - strelka_frontend: - portgroups: - - strelka_frontend - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - heavynode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - elasticsearch_node - - elasticsearch_rest - dockernet: - portgroups: - - elasticsearch_node - - elasticsearch_rest - elasticsearch_rest: - portgroups: - - elasticsearch_rest - self: - portgroups: - - syslog - strelka_frontend: - portgroups: - - strelka_frontend - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - import: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - kibana - - redis - - influxdb - - elasticsearch_rest - - elasticsearch_node - minion: - portgroups: - - docker_registry - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - elasticsearch_node - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - - receiver: - chain: - DOCKER-USER: - hostgroups: - sensor: - portgroups: - - beats_5644 - search_node: - portgroups: - - redis - - beats_5644 - self: - portgroups: - - redis - - syslog - - beats_5644 - syslog: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - endgame: - portgroups: - - endgame - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - idh: - chain: - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - manager: - portgroups: - - ssh \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index b62c257b7..31405a2d8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1181,7 +1181,7 @@ firewall_generate_templates() { local firewall_pillar_path=$local_salt_dir/salt/firewall logCmd "mkdir -p $firewall_pillar_path" - logCmd "cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/" + logCmd "cp -r ../files/firewall/* /opt/so/saltstack/local/salt/firewall/" # i think this can be commented out for 2.4 #for i in analyst beats_endpoint endgame sensors manager managersearch elastic_agent_endpoint searchnodes; do