# Copyright 2022 OCF Ltd. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # -*- coding: utf-8 -*- # vim: ft=yaml --- firewalld: ## Toggle firewalld as installed and started enable: true ## INI entries to overide firewalld_conf_file: /etc/firewalld/firewalld.conf firewalld_conf: DefaultZone: "public" LogDenied: "off" ## Configure permanent firewalld services (xml config file) firewalld_services: - name: ssh short: "SSH" description: "SSH service" port: - port: 22 protocol: tcp xcat_groups: - all xcat_networks: - campus - cluster - infiniband - ipmi - lustre - name: dhcpd short: "dhcp" description: "DHCP Service" port: - port: 7911 protocol: tcp xcat_groups: - compute - all xcat_networks: - cluster # # # # Sample rulesets # # # - name: zabbix # short: "Zabbix" # description: "Zabbix Ports" # port: # - port: 10050 # protocol: tcp # - port: 10051 # protocol: tcp # xcat_groups: # - compute # - all # - slurm # - ansible # xcat_networks: # - cluster # - infiniband # - name: bacula # short: "Bacula" # description: "Bacula Client" # port: # - port: 9102 # protocol: tcp # xcat_groups: # - compute # - all # - slurm # - ansible # xcat_networks: # - cluster # - infiniband # - name: ftp # short: "FTP" # description: "FTP Client/Server" # port: # - port: 21 # protocol: tcp # xcat_groups: # - compute # - all # - slurm # - ansible # xcat_networks: # - cluster # - infiniband # - name: xCAT # short: "xcatd" # description: "xCAT Services" # port: # - port: 3001 # protocol: tcp # - port: 3002 # protocol: tcp # - port: 3003 # protocol: tcp # - port: 623 # protocol: udp # xcat_groups: # - compute # - all # - slurm # - ansible # xcat_networks: # - cluster # - infiniband # - name: rsyslogd # short: "rsyslogd" # description: "Rsyslog Service" # port: # - port: 514 # protocol: tcp # xcat_groups: # - compute # - all # - slurm # - ansible # xcat_networks: # - cluster # - infiniband # - name: named # short: "named" # description: "DNS Service" # port: # - port: 53 # protocol: tcp # - port: 953 # protocol: tcp # xcat_groups: # - compute # - all # - slurm # - ansible # xcat_networks: # - cluster # - infiniband ## Configure permanent firewalld zones (xml config file) firewalld_zones: # # network <-> network allow all rules (ipset cluster is auto generated from xcat_networks) # ipsets can only be bound to a single zone, to use this format of rule, any service with a 'cluster' entry in 'xcat_networks:' list requires 'cluster' to be removed. # # - name: cluster2cluster # short: "cluster2cluster" # description: "allow ingress from cluster network" # target: "ACCEPT" # source: # - ipset: cluster # # inbuilt safety rule # - name: public short: "Public" description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted." service: - name: "ssh" # # accept any traffic from management hosts # # - name: mgt # short: "MGT" # description: "Trust my management hosts" # target: "ACCEPT" # source: # - address: 172.22.1.220/32 # - address: 172.22.1.221/32 ## Configure permanent firewalld ipsets (xml config file) firewalld_ipsets: fail2ban-ssh: short: fail2ban-ssh description: fail2ban-ssh ipset type: 'hash:ip' options: maxelem: - 65536 timeout: - 300 hashsize: - 1024 targets: - 10.0.0.1 # fail2ban-ssh-ipv6: # short: fail2ban-ssh-ipv6 # description: fail2ban-ssh-ipv6 ipset # type: 'hash:ip' # options: # family: # - inet6 # maxelem: # - 65536 # timeout: # - 300 # hashsize: # - 1024 # targets: # - 2a01::1