2.4 firewall changes

2025-12-13 12:42:56 +01:00 · 2022-12-21 15:03:45 -05:00
parent 33a1aea729 b95a83b016
commit accc293c8a
27 changed files with 270 additions and 169 deletions
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -0,0 +1,80 @@
+docker:
+  bip: '172.17.0.1'
+  range: '172.17.0.0/24'
+  sosrange: '172.17.1.0/24'
+  sosbip: '172.17.1.1'
+  containers:
+    'so-dockerregistry':
+      final_octet: 20
+      ports:
+        5000: tcp
+    'so-elastic-fleet':
+      final_octet: 21
+    'so-elasticsearch':
+      final_octet: 22
+      ports:
+        9200: tcp
+        9300: tcp
+    'so-filebeat':
+      final_octet: 23
+    'so-grafana':
+      final_octet: 24
+      ports:
+        3000: tcp
+    'so-idstools':
+      final_octet: 25
+    'so-influxdb':
+      final_octet: 26
+      ports:
+        8086: tcp
+    'so-kibana':
+      final_octet: 27
+      ports:
+        5601: tcp
+    'so-kratos':
+      final_octet: 28
+      ports:
+        4433: tcp
+        4434: tcp
+    'so-logstash':
+      final_octet: 29
+    'so-mysql':
+      final_octet: 30
+      ports:
+        3306: tcp
+    'so-nginx':
+      final_octet: 31
+      ports:
+        80: tcp
+        443: tcp
+    'so-playbook':
+      final_octet: 32
+    'so-redis':
+      final_octet: 33
+      ports:
+        6379: tcp
+        9696: tcp
+    'so-soc':
+      final_octet: 34
+      ports:
+        9822: tcp
+    'so-soctopus':
+      final_octet: 35
+      ports:
+        7000: tcp
+    'so-strelka-backend':
+      final_octet: 36
+    'so-strelka-filestream':
+      final_octet: 37
+    'so-strelka-frontend':
+      final_octet: 38
+    'so-strelka-manager':
+      final_octet: 39
+    'so-strelka-gatekeeper':
+      final_octet: 40
+    'so-strelka-coordinator':
+      final_octet: 41
+    'so-elastalert':
+      final_octet: 42
+    'so-curator':
+      final_octet: 43
--- a/salt/docker/docker.map.jinja
+++ b/salt/docker/docker.map.jinja
@@ -0,0 +1,8 @@
+{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
+{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
+{% set RANGESPLIT = DOCKER.sosrange.split('.') %}
+{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
+
+{% for container, vals in DOCKER.containers.items() %}
+{%   do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
+{% endfor %}
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -3,6 +3,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

+{% from 'docker/docker.map.jinja' import DOCKER %}
+
 dockergroup:
  group.present:
    - name: docker
@@ -50,3 +52,13 @@ dockerreserveports:
    - source: salt://common/files/99-reserved-ports.conf
    - name: /etc/sysctl.d/99-reserved-ports.conf

+sos_docker_net:
+  docker_network.present:
+    - name: sosnet
+    - subnet: {{ DOCKER.sosrange }}
+    - gateway: {{ DOCKER.sosbip }}
+    - options:
+        com.docker.network.bridge.name: 'sosbridge'
+        com.docker.network.driver.mtu: '1500'
+        com.docker.network.bridge.enable_ip_masquerade: 'true'
+    - unless: 'docker network ls | grep sosnet'