2016-02-01 03:10:02 +00:00
|
|
|
.. _firewall:
|
|
|
|
|
2012-03-18 23:44:06 +00:00
|
|
|
================================
|
|
|
|
Opening the Firewall up for Salt
|
|
|
|
================================
|
2012-02-29 20:39:07 +00:00
|
|
|
|
|
|
|
The Salt master communicates with the minions using an AES-encrypted ZeroMQ
|
2014-11-24 22:56:28 +00:00
|
|
|
connection. These communications are done over TCP ports **4505** and **4506**,
|
|
|
|
which need to be accessible on the master only. This document outlines suggested
|
|
|
|
firewall rules for allowing these incoming connections to the master.
|
2012-02-29 20:39:07 +00:00
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
2013-08-25 04:19:54 +00:00
|
|
|
No firewall configuration needs to be done on Salt minions. These changes
|
|
|
|
refer to the master only.
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2014-11-24 22:56:28 +00:00
|
|
|
Fedora 18 and beyond / RHEL 7 / CentOS 7
|
|
|
|
========================================
|
|
|
|
|
2014-12-11 15:50:14 +00:00
|
|
|
Starting with Fedora 18 `FirewallD`_ is the tool that is used to dynamically
|
2014-11-24 22:56:28 +00:00
|
|
|
manage the firewall rules on a host. It has support for IPv4/6 settings and
|
|
|
|
the separation of runtime and permanent configurations. To interact with
|
|
|
|
FirewallD use the command line client ``firewall-cmd``.
|
|
|
|
|
|
|
|
**firewall-cmd example**:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
firewall-cmd --permanent --zone=<zone> --add-port=4505-4506/tcp
|
|
|
|
|
|
|
|
Please choose the desired zone according to your setup. Don't forget to reload
|
|
|
|
after you made your changes.
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
firewall-cmd --reload
|
|
|
|
|
|
|
|
.. _`FirewallD`: https://fedoraproject.org/wiki/FirewallD
|
|
|
|
|
2013-11-30 00:33:41 +00:00
|
|
|
RHEL 6 / CentOS 6
|
2012-07-19 16:16:58 +00:00
|
|
|
=================
|
2012-07-19 04:06:45 +00:00
|
|
|
|
2013-09-17 13:28:25 +00:00
|
|
|
The ``lokkit`` command packaged with some Linux distributions makes opening
|
2012-07-19 16:16:58 +00:00
|
|
|
iptables firewall ports very simple via the command line. Just be careful
|
2014-11-24 22:56:28 +00:00
|
|
|
to not lock out access to the server by neglecting to open the ssh port.
|
2012-07-19 04:06:45 +00:00
|
|
|
|
2013-08-12 03:17:47 +00:00
|
|
|
**lokkit example**:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
2012-07-19 07:42:46 +00:00
|
|
|
|
|
|
|
lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp
|
|
|
|
|
2014-11-24 22:56:28 +00:00
|
|
|
The ``system-config-firewall-tui`` command provides a text-based interface to
|
|
|
|
modifying the firewall.
|
2012-07-19 07:42:46 +00:00
|
|
|
|
2013-08-12 03:17:47 +00:00
|
|
|
**system-config-firewall-tui**:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
2012-07-19 07:42:46 +00:00
|
|
|
|
|
|
|
system-config-firewall-tui
|
2012-07-19 04:06:45 +00:00
|
|
|
|
|
|
|
|
2013-09-17 13:27:23 +00:00
|
|
|
openSUSE
|
|
|
|
========
|
|
|
|
|
2013-09-17 13:30:55 +00:00
|
|
|
Salt installs firewall rules in :blob:`/etc/sysconfig/SuSEfirewall2.d/services/salt <pkg/suse/salt.SuSEfirewall2>`.
|
2013-09-17 13:27:23 +00:00
|
|
|
Enable with:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
SuSEfirewall2 open
|
|
|
|
SuSEfirewall2 start
|
|
|
|
|
2014-11-24 22:56:28 +00:00
|
|
|
If you have an older package of Salt where the above configuration file is
|
|
|
|
not included, the ``SuSEfirewall2`` command makes opening iptables firewall
|
|
|
|
ports very simple via the command line.
|
2013-09-17 13:27:23 +00:00
|
|
|
|
|
|
|
**SuSEfirewall example**:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
SuSEfirewall2 open EXT TCP 4505
|
|
|
|
SuSEfirewall2 open EXT TCP 4506
|
|
|
|
|
2014-11-24 22:56:28 +00:00
|
|
|
The firewall module in YaST2 provides a text-based interface to modifying the
|
|
|
|
firewall.
|
2013-09-17 13:27:23 +00:00
|
|
|
|
|
|
|
**YaST2**:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
yast2 firewall
|
|
|
|
|
2013-11-01 13:56:25 +00:00
|
|
|
.. _linux-iptables:
|
2013-09-17 13:27:23 +00:00
|
|
|
|
2013-11-01 14:18:29 +00:00
|
|
|
iptables
|
|
|
|
========
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2014-12-11 15:50:14 +00:00
|
|
|
Different Linux distributions store their `iptables` (also known as
|
2013-11-01 13:56:25 +00:00
|
|
|
`netfilter`_) rules in different places, which makes it difficult to
|
|
|
|
standardize firewall documentation. Included are some of the more
|
|
|
|
common locations, but your mileage may vary.
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2013-11-01 13:56:25 +00:00
|
|
|
.. _`netfilter`: http://www.netfilter.org/
|
2013-09-17 13:28:25 +00:00
|
|
|
|
2013-08-12 03:17:47 +00:00
|
|
|
**Fedora / RHEL / CentOS**:
|
|
|
|
|
2016-06-15 17:52:02 +00:00
|
|
|
.. code-block:: text
|
2012-02-29 20:39:07 +00:00
|
|
|
|
|
|
|
/etc/sysconfig/iptables
|
|
|
|
|
2013-08-12 03:17:47 +00:00
|
|
|
**Arch Linux**:
|
|
|
|
|
2016-06-15 17:52:02 +00:00
|
|
|
.. code-block:: text
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2012-03-18 23:44:06 +00:00
|
|
|
/etc/iptables/iptables.rules
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2012-03-18 23:44:06 +00:00
|
|
|
**Debian**
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2014-02-20 23:16:59 +00:00
|
|
|
Follow these instructions: https://wiki.debian.org/iptables
|
2012-02-29 20:39:07 +00:00
|
|
|
|
|
|
|
Once you've found your firewall rules, you'll need to add the two lines below
|
|
|
|
to allow traffic on ``tcp/4505`` and ``tcp/4506``:
|
|
|
|
|
2016-06-15 17:52:02 +00:00
|
|
|
.. code-block:: text
|
2012-10-12 05:37:20 +00:00
|
|
|
|
2012-10-12 04:27:36 +00:00
|
|
|
-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
|
|
|
|
-A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2012-03-18 23:44:06 +00:00
|
|
|
**Ubuntu**
|
|
|
|
|
2013-03-04 21:38:36 +00:00
|
|
|
Salt installs firewall rules in :blob:`/etc/ufw/applications.d/salt.ufw
|
2013-08-12 03:17:47 +00:00
|
|
|
<pkg/salt.ufw>`. Enable with:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
2012-03-18 23:44:06 +00:00
|
|
|
|
2013-02-26 18:19:46 +00:00
|
|
|
ufw allow salt
|
2012-05-23 04:43:12 +00:00
|
|
|
|
2012-02-29 20:39:07 +00:00
|
|
|
pf.conf
|
|
|
|
=======
|
|
|
|
|
2012-05-23 04:43:12 +00:00
|
|
|
The BSD-family of operating systems uses `packet filter (pf)`_. The following
|
2012-02-29 20:39:07 +00:00
|
|
|
example describes the additions to ``pf.conf`` needed to access the Salt
|
|
|
|
master.
|
|
|
|
|
2016-06-15 17:52:02 +00:00
|
|
|
.. code-block:: text
|
2012-10-12 05:37:20 +00:00
|
|
|
|
2012-10-12 04:27:36 +00:00
|
|
|
pass in on $int_if proto tcp from any to $int_if port 4505
|
|
|
|
pass in on $int_if proto tcp from any to $int_if port 4506
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2012-07-19 16:16:58 +00:00
|
|
|
Once these additions have been made to the ``pf.conf`` the rules will need to
|
|
|
|
be reloaded. This can be done using the ``pfctl`` command.
|
2012-02-29 20:39:07 +00:00
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
pfctl -vf /etc/pf.conf
|
2012-05-23 04:43:12 +00:00
|
|
|
|
2012-06-10 16:23:42 +00:00
|
|
|
.. _`packet filter (pf)`: http://openbsd.org/faq/pf/
|
2013-11-01 13:56:25 +00:00
|
|
|
|
|
|
|
=================================
|
|
|
|
Whitelist communication to Master
|
|
|
|
=================================
|
|
|
|
|
2014-06-06 02:20:07 +00:00
|
|
|
There are situations where you want to selectively allow Minion traffic
|
2013-11-01 13:56:25 +00:00
|
|
|
from specific hosts or networks into your Salt Master. The first
|
|
|
|
scenario which comes to mind is to prevent unwanted traffic to your
|
|
|
|
Master out of security concerns, but another scenario is to handle
|
|
|
|
Minion upgrades when there are backwards incompatible changes between
|
|
|
|
the installed Salt versions in your environment.
|
|
|
|
|
|
|
|
Here is an example :ref:`Linux iptables <linux-iptables>` ruleset to
|
|
|
|
be set on the Master:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
# Allow Minions from these networks
|
|
|
|
-I INPUT -s 10.1.2.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
|
|
|
|
-I INPUT -s 10.1.3.0/24 -p tcp -m multiport --dports 4505,4506 -j ACCEPT
|
|
|
|
# Allow Salt to communicate with Master on the loopback interface
|
|
|
|
-A INPUT -i lo -p tcp -m multiport --dports 4505,4506 -j ACCEPT
|
|
|
|
# Reject everything else
|
|
|
|
-A INPUT -p tcp -m multiport --dports 4505,4506 -j REJECT
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
The important thing to note here is that the ``salt`` command
|
|
|
|
needs to communicate with the listening network socket of
|
|
|
|
``salt-master`` on the *loopback* interface. Without this you will
|
|
|
|
see no outgoing Salt traffic from the master, even for a simple
|
|
|
|
``salt '*' test.ping``, because the ``salt`` client never reached
|
2014-12-11 15:50:14 +00:00
|
|
|
the ``salt-master`` to tell it to carry out the execution.
|