CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-10 19:22:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

update firewall

Browse Source 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
This commit is contained in:
reyesj2
2024-06-24 12:01:01 -04:00
parent c332cd777c
commit ea771ed21b
2 changed files with 32 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
salt/firewall/defaults.yaml
View File

@@ -77,7 +77,6 @@ firewall:
elastic_agent_data: elastic_agent_data:
tcp: tcp:
- 5055 - 5055
- 9092
udp: [] udp: []
elastic_agent_update: elastic_agent_update:
tcp: tcp:
@@ -91,16 +90,20 @@ firewall:
tcp: tcp:
- 8086 - 8086
udp: [] udp: []
kafka: kafka_controller:
tcp: tcp:
- 9093 - 9093
udp: [] udp: []
kafka_data:
tcp:
- 9092
udp: []
kibana: kibana:
tcp: tcp:
- 5601 - 5601
udp: [] udp: []
localrules: localrules:
tcp: tcp:
- 7788 - 7788
udp: [] udp: []
nginx: nginx:
@@ -369,7 +372,6 @@ firewall:
- elastic_agent_update - elastic_agent_update
- localrules - localrules
- sensoroni - sensoroni
- kafka
fleet: fleet:
portgroups: portgroups:
- elasticsearch_rest - elasticsearch_rest
@@ -440,7 +442,6 @@ firewall:
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni - sensoroni
- kafka
analyst: analyst:
portgroups: portgroups:
- nginx - nginx
@@ -565,7 +566,6 @@ firewall:
- elastic_agent_update - elastic_agent_update
- localrules - localrules
- sensoroni - sensoroni
- kafka
fleet: fleet:
portgroups: portgroups:
- elasticsearch_rest - elasticsearch_rest
@@ -634,7 +634,6 @@ firewall:
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni - sensoroni
- kafka
analyst: analyst:
portgroups: portgroups:
- nginx - nginx
@@ -762,7 +761,6 @@ firewall:
- beats_5044 - beats_5044
- beats_5644 - beats_5644
- beats_5056 - beats_5056
- kafka
- elasticsearch_node - elasticsearch_node
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
@@ -832,7 +830,6 @@ firewall:
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni - sensoroni
- kafka
analyst: analyst:
portgroups: portgroups:
- nginx - nginx
@@ -1297,21 +1294,17 @@ firewall:
portgroups: portgroups:
- redis - redis
- elastic_agent_data - elastic_agent_data
- kafka
manager: manager:
portgroups: portgroups:
- elastic_agent_data - elastic_agent_data
- kafka
managersearch: managersearch:
portgroups: portgroups:
- redis - redis
- elastic_agent_data - elastic_agent_data
- kafka
self: self:
portgroups: portgroups:
- redis - redis
- elastic_agent_data - elastic_agent_data
- kafka
beats_endpoint: beats_endpoint:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -1324,6 +1317,8 @@ firewall:
endgame: endgame:
portgroups: portgroups:
- endgame - endgame
receiver:
portgroups: []
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:

24
salt/firewall/map.jinja
View File

@@ -18,4 +18,28 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{# Only add Kafka firewall items when Kafka enabled #}
{% set role = GLOBALS.role.split('-')[1] %}
{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone'] %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[role].portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %}
{% endif %}
{% if GLOBALS.pipeline == 'KAFKA' and role == 'receiver' %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.self.portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.standalone.portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.manager.portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.managersearch.portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %}
{% endif %}
{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone', 'receiver'] %}
{% for r in ['manager', 'managersearch', 'standalone', 'receiver', 'fleet', 'idh', 'sensor', 'searchnode','heavynode', 'elastic_agent_endpoint', 'desktop'] %}
{% if FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r] is defined %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r].portgroups.append('kafka_data') %}
{% endif %}
{% endfor %}
{% endif %}
{% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %} {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}