diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 99d8cb38a..fc5368e12 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -77,7 +77,6 @@ firewall: elastic_agent_data: tcp: - 5055 - - 9092 udp: [] elastic_agent_update: tcp: @@ -91,16 +90,20 @@ firewall: tcp: - 8086 udp: [] - kafka: + kafka_controller: tcp: - 9093 udp: [] + kafka_data: + tcp: + - 9092 + udp: [] kibana: tcp: - 5601 udp: [] localrules: - tcp: + tcp: - 7788 udp: [] nginx: @@ -369,7 +372,6 @@ firewall: - elastic_agent_update - localrules - sensoroni - - kafka fleet: portgroups: - elasticsearch_rest @@ -440,7 +442,6 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni - - kafka analyst: portgroups: - nginx @@ -565,7 +566,6 @@ firewall: - elastic_agent_update - localrules - sensoroni - - kafka fleet: portgroups: - elasticsearch_rest @@ -634,7 +634,6 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni - - kafka analyst: portgroups: - nginx @@ -762,7 +761,6 @@ firewall: - beats_5044 - beats_5644 - beats_5056 - - kafka - elasticsearch_node - elastic_agent_control - elastic_agent_data @@ -832,7 +830,6 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni - - kafka analyst: portgroups: - nginx @@ -1297,21 +1294,17 @@ firewall: portgroups: - redis - elastic_agent_data - - kafka manager: portgroups: - elastic_agent_data - - kafka managersearch: portgroups: - redis - elastic_agent_data - - kafka self: portgroups: - redis - elastic_agent_data - - kafka beats_endpoint: portgroups: - beats_5044 @@ -1324,6 +1317,8 @@ firewall: endgame: portgroups: - endgame + receiver: + portgroups: [] customhostgroup0: portgroups: [] customhostgroup1: diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 74b3a66be..fe04d7ad3 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -18,4 +18,28 @@ {% endfor %} {% endif %} +{# Only add Kafka firewall items when Kafka enabled #} +{% set role = GLOBALS.role.split('-')[1] %} + +{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone'] %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[role].portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %} +{% endif %} + +{% if GLOBALS.pipeline == 'KAFKA' and role == 'receiver' %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.self.portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.standalone.portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.manager.portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.managersearch.portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %} +{% endif %} + +{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone', 'receiver'] %} +{% for r in ['manager', 'managersearch', 'standalone', 'receiver', 'fleet', 'idh', 'sensor', 'searchnode','heavynode', 'elastic_agent_endpoint', 'desktop'] %} +{% if FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r] is defined %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r].portgroups.append('kafka_data') %} +{% endif %} +{% endfor %} +{% endif %} + {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}