Browse Source

revamp deez nuts

master
Sean Johnson 1 year ago
parent
commit
d200e81902
  1. 2
      base/files/20-nftables.conf
  2. 8
      base/repositories.sls
  3. 8
      base/syslog.sls
  4. 12
      fwrules/init.sls
  5. 2
      fwrules/templates/firewall.nft.j2

2
base/files/20-iptables.conf → base/files/20-nftables.conf

@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
# Log kernel generated iptables messages to file
:msg,contains,"IPv=" /var/log/iptables.log
:msg,contains,"nft-blocked" /var/log/nftables.log
# Don't log kernel-generated iptables log messages
# anywhere but the file above.

8
base/repositories.sls

@ -3,6 +3,14 @@ @@ -3,6 +3,14 @@
{% set codename = grains["oscodename"] -%}
{% set osarch = grains["osarch"] %}
{% if codename != "stretch" %}
/etc/apt/sources.list.d/debian-stretch-backports.list:
file.absent: {}
/etc/apt/sources.list.d/debian-stretch-backports-sloppy.list:
file.absent: {}
{% endif %}
debian {{ codename }} backports:
pkgrepo.managed:
- humanname: debian-{{ codename }}-backports

8
base/syslog.sls

@ -4,8 +4,11 @@ @@ -4,8 +4,11 @@
file.absent
/etc/rsyslog.d/20-iptables.conf:
file.absent
/etc/rsyslog.d/20-nftables.conf:
file.managed:
- source: "salt://base/files/20-iptables.conf"
- source: "salt://base/files/20-nftables.conf"
- user: root
- group: root
- mode: 0740
@ -15,4 +18,5 @@ rsyslog: @@ -15,4 +18,5 @@ rsyslog:
- restart: true
- watch:
- file: /etc/rsyslog.d/20-ufw.conf
- file: /etc/rsyslog.d/20-iptables.conf
- file: /etc/rsyslog.d/20-iptables.conf
- file: /etc/rsyslog.d/20-nftables.conf

12
fwrules/init.sls

@ -61,6 +61,18 @@ nftables firewall table: @@ -61,6 +61,18 @@ nftables firewall table:
- require:
- file: /etc/firewall/firewall.nft
service.systemctl_reload:
module.run:
- service.systemctl_reload:
- onchanges:
- file: /lib/systemd/system/fwrules.service
fwrules:
service.running:
- enable: true
- watch:
- file: /lib/systemd/system/fwrules.service
{% if ("nft"|which) is not none %}
{{ "nft"|which }} -f /etc/firewall/firewall.nft:
cron.absent:

2
fwrules/templates/firewall.nft.j2

@ -55,7 +55,7 @@ table inet firewall { @@ -55,7 +55,7 @@ table inet firewall {
{%- endif %}
# Don't insert any rules after this log.
log flags all counter drop
log prefix "nft-blocked" flags all counter drop
}
chain output {

Loading…
Cancel
Save