From fe56e171d4035d22d0893c43e65b5d14045192cf Mon Sep 17 00:00:00 2001
From: dlee35 <dlee35@gmail.com>
Date: Thu, 13 Dec 2018 13:28:37 -0500
Subject: [PATCH] add firewall rule option for osquery

---
 pillar/firewall/osquery_endpoint.sls |  3 +++
 salt/firewall/init.sls               | 18 +++++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 pillar/firewall/osquery_endpoint.sls

diff --git a/pillar/firewall/osquery_endpoint.sls b/pillar/firewall/osquery_endpoint.sls
new file mode 100644
index 000000000..cfc6051b8
--- /dev/null
+++ b/pillar/firewall/osquery_endpoint.sls
@@ -0,0 +1,3 @@
+osquery_endpoint:
+  - 127.0.0.1
+  
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 47e230779..34e69739f 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -10,7 +10,7 @@
 
 {% elif grains['role'] == 'so-sensor'%}
 
-{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
 
 {% endif %}
 
@@ -347,6 +347,22 @@ enable_standard_beats_5044_{{ip}}:
 
 {% endfor %}
 
+# Allow OSQuery Endpoints to send their traffic
+{% for ip in pillar.get('osquery_endpoint')  %}
+
+enable_standard_osquery_8080_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 8080
+    - position: 1
+    - save: True
+
+{% endfor %}
+
 # Allow Analysts
 {% for ip in pillar.get('analyst')  %}