CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-10 19:22:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

update firewall

Browse Source 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
This commit is contained in:
reyesj2
2024-06-24 12:01:01 -04:00
parent c332cd777c
commit ea771ed21b
2 changed files with 32 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
salt/firewall/defaults.yaml
View File

@@ -77,7 +77,6 @@ firewall:
elastic_agent_data:
tcp:
- 5055
- 9092
udp: []
elastic_agent_update:
tcp:
@@ -91,10 +90,14 @@ firewall:
tcp:
- 8086
udp: []
kafka:
kafka_controller:
tcp:
- 9093
udp: []
kafka_data:
tcp:
- 9092
udp: []
kibana:
tcp:
- 5601
@@ -369,7 +372,6 @@ firewall:
- elastic_agent_update
- localrules
- sensoroni
- kafka
fleet:
portgroups:
- elasticsearch_rest
@@ -440,7 +442,6 @@ firewall:
- elastic_agent_data
- elastic_agent_update
- sensoroni
- kafka
analyst:
portgroups:
- nginx
@@ -565,7 +566,6 @@ firewall:
- elastic_agent_update
- localrules
- sensoroni
- kafka
fleet:
portgroups:
- elasticsearch_rest
@@ -634,7 +634,6 @@ firewall:
- elastic_agent_data
- elastic_agent_update
- sensoroni
- kafka
analyst:
portgroups:
- nginx
@@ -762,7 +761,6 @@ firewall:
- beats_5044
- beats_5644
- beats_5056
- kafka
- elasticsearch_node
- elastic_agent_control
- elastic_agent_data
@@ -832,7 +830,6 @@ firewall:
- elastic_agent_data
- elastic_agent_update
- sensoroni
- kafka
analyst:
portgroups:
- nginx
@@ -1297,21 +1294,17 @@ firewall:
portgroups:
- redis
- elastic_agent_data
- kafka
manager:
portgroups:
- elastic_agent_data
- kafka
managersearch:
portgroups:
- redis
- elastic_agent_data
- kafka
self:
portgroups:
- redis
- elastic_agent_data
- kafka
beats_endpoint:
portgroups:
- beats_5044
@@ -1324,6 +1317,8 @@ firewall:
endgame:
portgroups:
- endgame
receiver:
portgroups: []
customhostgroup0:
portgroups: []
customhostgroup1:

24
salt/firewall/map.jinja
View File

@@ -18,4 +18,28 @@
{% endfor %}
{% endif %}
{# Only add Kafka firewall items when Kafka enabled #}
{% set role = GLOBALS.role.split('-')[1] %}
{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone'] %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[role].portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %}
{% endif %}
{% if GLOBALS.pipeline == 'KAFKA' and role == 'receiver' %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.self.portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.standalone.portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.manager.portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.managersearch.portgroups.append('kafka_controller') %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %}
{% endif %}
{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone', 'receiver'] %}
{% for r in ['manager', 'managersearch', 'standalone', 'receiver', 'fleet', 'idh', 'sensor', 'searchnode','heavynode', 'elastic_agent_endpoint', 'desktop'] %}
{% if FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r] is defined %}
{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r].portgroups.append('kafka_data') %}
{% endif %}
{% endfor %}
{% endif %}
{% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}