From ed60d48c81b09ba2dfcc59214683010e6354907d Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 29 Jun 2020 18:49:16 +0000
Subject: [PATCH] Add ES REST API option for so-allow

---
 files/firewall/hostgroups.local.yaml       | 3 +++
 salt/common/tools/sbin/so-allow            | 9 ++++++++-
 salt/firewall/assigned_hostgroups.map.yaml | 3 +++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml
index 27ad40f6e..edb08e195 100644
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -12,6 +12,9 @@ firewall:
       ips:
         delete:
         insert:
+    elasticsearch_rest:
+        delete:
+        insert:
     fleet:
       ips:
         delete:
diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index d273cfce5..e7c7f1e1a 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -38,7 +38,11 @@ do
             FULLROLE="beats_endpoint"
             SKIP=1
             ;;
-	f)
+	e)
+            FULLROLE="elasticsearch_rest"
+            SKIP=1
+            ;;
+        f)
 	    FULLROLE="strelka_frontend"
             SKIP=1
             ;;
@@ -77,6 +81,7 @@ if [ "$SKIP" -eq 0 ]; then
     echo ""
     echo "[a] - Analyst - ports 80/tcp and 443/tcp"
     echo "[b] - Logstash Beat - port 5044/tcp"
+    echo "[e] - Elasticsearch REST API - port 9200/tcp"
     echo "[f] - Strelka frontend - port 57314/tcp"
     echo "[o] - Osquery endpoint - port 8090/tcp"
     echo "[s] - Syslog device - 514/tcp/udp"
@@ -92,6 +97,8 @@ if [ "$SKIP" -eq 0 ]; then
         FULLROLE=analyst
     elif [ "$ROLE" == "b" ]; then
         FULLROLE=beats_endpoint
+    elif [ "$ROLE" == "e" ]; then
+        FULLROLE=elasticsearch_rest
     elif [ "$ROLE" == "f" ]; then
         FULLROLE=strelka_frontend
     elif [ "$ROLE" == "o" ]; then
diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml
index aa41322a3..c16a63c00 100644
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -48,6 +48,9 @@ role:
           beats_endpoint_ssl:
             portgroups:
               - {{ portgroups.beats_5644 }}
+          elasticsearch_rest:
+            portgroups:
+              - {{ portgroups.elasticsearch_rest }}
           osquery_endpoint:
             portgroups:
               - {{ portgroups.fleet_api }}