idh firewall

2025-12-10 19:22:54 +01:00 · 2023-05-03 10:53:13 -04:00
parent c597766390
commit 8359f1983c
2 changed files with 75 additions and 1 deletions
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -1138,3 +1138,66 @@ firewall:
              portgroups: []
            customhostgroup9:
              portgroups: []
+    idh:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            customhostgroup0:
+              portgroups: []
+            customhostgroup1:
+              portgroups: []
+            customhostgroup2:
+              portgroups: []
+            customhostgroup3:
+              portgroups: []
+            customhostgroup4:
+              portgroups: []
+            customhostgroup5:
+              portgroups: []
+            customhostgroup6:
+              portgroups: []
+            customhostgroup7:
+              portgroups: []
+            customhostgroup8:
+              portgroups: []
+            customhostgroup9:
+              portgroups: []
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups: []
+            dockernet:
+              portgroups:
+                - all
+            localhost:
+              portgroups:
+                - all
+            manager:
+              portgroups:
+                - openssh
+            managersearch:
+              portgroups:
+                - openssh
+            standalone:
+              portgroups:
+                - openssh
+            customhostgroup0:
+              portgroups: []
+            customhostgroup1:
+              portgroups: []
+            customhostgroup2:
+              portgroups: []
+            customhostgroup3:
+              portgroups: []
+            customhostgroup4:
+              portgroups: []
+            customhostgroup5:
+              portgroups: []
+            customhostgroup6:
+              portgroups: []
+            customhostgroup7:
+              portgroups: []
+            customhostgroup8:
+              portgroups: []
+            customhostgroup9:
+              portgroups: []
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -4,7 +4,18 @@

 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
-{# add dockernet range  #}
+{# add dockernet range #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %}

+{% if GLOBALS.role == 'so-idh' %}
+{%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
+{%   do salt['defaults.merge'](FIREWALL_DEFAULT.firewall.portgroups, IDH_PORTGROUPS, in_place=True) %}
+{%   for pg in IDH_PORTGROUPS.keys() %}
+{#     idh service ports start with _idh. this prevents adding openssh to allow from anywhere #}
+{%     if pg.split('_')[0] == 'idh' %}
+{%       do FIREWALL_DEFAULT.firewall.role.idh.chain.INPUT.hostgroups.anywhere.portgroups.append(pg) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+
 {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}