Firewall Module - Add so-allow

2026-01-05 07:43:09 +01:00 · 2019-07-23 10:08:09 -04:00
parent ab3a7aec00
commit 8804a43463
3 changed files with 121 additions and 50 deletions
--- a/pillar/firewall/wazuh_endpoint.sls
+++ b/pillar/firewall/wazuh_endpoint.sls
@@ -0,0 +1,2 @@
+wazuh_endpoint:
+  - 127.0.0.1
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -0,0 +1,42 @@
+#!/bin/bash
+got_root() {
+
+  # Make sure you are root
+  if [ "$(id -u)" -ne 0 ]; then
+          echo "This script must be run using sudo!"
+          exit 1
+  fi
+
+}
+
+got_root
+
+echo "This program allows you to add a firewall rule to allow connections from a new IP address."
+echo ""
+echo "Choose the role for the IP or Range you would like to add"
+echo ""
+echo "[a] - Analyst - ports 80/tcp and 443/tcp"
+echo "[b] - Logstash Beat - port 5044/tcp"
+echo "[o] - Osquery endpoint - port 8080/tcp"
+echo "[w] - Wazuh endpoint - port 1514"
+echo ""
+echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
+read ROLE
+echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
+read IP
+
+if [ "$ROLE" == "a" ]; then
+  FULLROLE=analyst
+elif [ "$ROLE" == "b" ]; then
+  FULLROLE=beats_endpoint
+elif [ "$ROLE" == "o" ]; then
+  FULLROLE=osquery_endpoint
+elif [ "$ROLE" == "w" ]; then
+  FULLROLE=wazuh_endpoint
+else
+  echo "I don't recognize that role"
+  exit 1
+fi
+
+echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
+/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -408,6 +408,33 @@ enable_standard_osquery_8080_{{ip}}:

 {% endfor %}

+# Allow Wazuh Endpoints to send their traffic
+{% for ip in pillar.get('wazuh_endpoint')  %}
+
+enable_wazuh_endpoint_tcp_1514_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
+enable_wazuh_endpoint_udp_1514_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: udp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
+{% endfor %}
+
 # Allow Analysts
 {% for ip in pillar.get('analyst')  %}

@@ -433,61 +460,61 @@ enable_standard_analyst_443_{{ip}}:
    - position: 1
    - save: True

-enable_standard_analyst_3000_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 3000
-    - position: 1
-    - save: True
+#enable_standard_analyst_3000_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 3000
+#    - position: 1
+#    - save: True

-enable_standard_analyst_7000_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 7000
-    - position: 1
-    - save: True
+#enable_standard_analyst_7000_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 7000
+#    - position: 1
+#    - save: True

-enable_standard_analyst_9000_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9000
-    - position: 1
-    - save: True
+#enable_standard_analyst_9000_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 9000
+#    - position: 1
+#    - save: True

-enable_standard_analyst_9001_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9001
-    - position: 1
-    - save: True
+#enable_standard_analyst_9001_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 9001
+#    - position: 1
+#    - save: True

 # This is temporary for sensoroni testing
-enable_standard_analyst_9822_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9822
-    - position: 1
-    - save: True
+#enable_standard_analyst_9822_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 9822
+#    - position: 1
+#    - save: True

 {% endfor %}