salt/doc/topics/tutorials/firewall.rst

================================
Opening the Firewall up for Salt
================================

The Salt master communicates with the minions using an AES-encrypted ZeroMQ
connection. These communications are done over ports 4505 and 4506, which need
to be accessible on the master only. This document outlines suggested firewall
rules for allowing these incoming connections to the master.

.. note::

    **No firewall configuration needs to be done on Salt minions. These changes
    refer to the master only.**

RHEL 6 / CENTOS 6
=================

The lokkit command packaged with some linux distributions makes opening
iptables firewall ports very simple via the command line. Just be careful
to not lock out access to the server by neglecting to open the ssh
port.

**lokkit example** ::

   lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp

The system-config-firewall-tui command provides a text-based interface to modifying
the firewall.

**system-config-firewall-tui** ::

   system-config-firewall-tui


iptables
========

Different Linux distributions store their `iptables`_ rules in different places,
which makes it difficult to standardize firewall documentation. Included are
some of the more common locations, but your mileage may vary.

**Fedora / RHEL / CentOS** ::

    /etc/sysconfig/iptables

**Arch Linux** ::

    /etc/iptables/iptables.rules

**Debian**

Follow these instructions: http://wiki.debian.org/iptables

Once you've found your firewall rules, you'll need to add the two lines below
to allow traffic on ``tcp/4505`` and ``tcp/4506``:

::

    -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
    -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT

**Ubuntu**

Create a file named ``/etc/ufw/applications.d/salt-master`` ::

        [Salt Master]
        title=Salt master
        description=Salt is a remote execution and configuration management tool.
        ports=4505,4506/tcp

.. _`iptables`: http://www.netfilter.org/

pf.conf
=======

The BSD-family of operating systems uses `packet filter (pf)`_. The following
example describes the additions to ``pf.conf`` needed to access the Salt
master.

::

    pass in on $int_if proto tcp from any to $int_if port 4505
    pass in on $int_if proto tcp from any to $int_if port 4506

Once these additions have been made to the ``pf.conf`` the rules will need to
be reloaded. This can be done using the ``pfctl`` command.

.. code-block:: bash

    pfctl -vf /etc/pf.conf

    
.. _`packet filter (pf)`: http://openbsd.org/faq/pf/
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`================================`
			`Opening the Firewall up for Salt`
			`================================`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
			`The Salt master communicates with the minions using an AES-encrypted ZeroMQ`
			`connection. These communications are done over ports 4505 and 4506, which need`
			`to be accessible on the master only. This document outlines suggested firewall`
			`rules for allowing these incoming connections to the master.`

			`.. note::`

			`**No firewall configuration needs to be done on Salt minions. These changes`
			`refer to the master only.**`

fixed the lokkit example that I gave before. added new system-config-firewall-tui command. 2012-07-19 07:42:46 +00:00			`RHEL 6 / CENTOS 6`
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			`=================`
added information on how to properly configure the firewall for salt-masters on CentOS 6 / RHEL. 2012-07-19 04:06:45 +00:00
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			`The lokkit command packaged with some linux distributions makes opening`
			`iptables firewall ports very simple via the command line. Just be careful`
			`to not lock out access to the server by neglecting to open the ssh`
			`port.`
added information on how to properly configure the firewall for salt-masters on CentOS 6 / RHEL. 2012-07-19 04:06:45 +00:00
fixed the lokkit example that I gave before. added new system-config-firewall-tui command. 2012-07-19 07:42:46 +00:00			`lokkit example ::`

			`lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp`

			`The system-config-firewall-tui command provides a text-based interface to modifying`
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			`the firewall.`
fixed the lokkit example that I gave before. added new system-config-firewall-tui command. 2012-07-19 07:42:46 +00:00
			`system-config-firewall-tui ::`

			`system-config-firewall-tui`
added information on how to properly configure the firewall for salt-masters on CentOS 6 / RHEL. 2012-07-19 04:06:45 +00:00

initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00			`iptables`
			`========`

documentation updates 2012-05-23 04:43:12 +00:00			Different Linux distributions store their `iptables`_ rules in different places,
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			`which makes it difficult to standardize firewall documentation. Included are`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00			`some of the more common locations, but your mileage may vary.`

added information on how to properly configure the firewall for salt-masters on CentOS 6 / RHEL. 2012-07-19 04:06:45 +00:00			`Fedora / RHEL / CentOS ::`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
			`/etc/sysconfig/iptables`

			`Arch Linux ::`

Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`/etc/iptables/iptables.rules`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`Debian`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`Follow these instructions: http://wiki.debian.org/iptables`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
			`Once you've found your firewall rules, you'll need to add the two lines below`
			to allow traffic on ``tcp/4505`` and ``tcp/4506``:

Add the :: 2012-10-12 05:37:20 +00:00			`::`

Using a diff and not specifying that it is a diff in the doc... can be confusing 2012-10-12 04:27:36 +00:00			`-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT`
			`-A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`Ubuntu`

			Create a file named ``/etc/ufw/applications.d/salt-master`` ::

documentation updates 2012-05-23 04:43:12 +00:00			`[Salt Master]`
			`title=Salt master`
			`description=Salt is a remote execution and configuration management tool.`
			`ports=4505,4506/tcp`

			.. _`iptables`: http://www.netfilter.org/
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00			`pf.conf`
			`=======`

documentation updates 2012-05-23 04:43:12 +00:00			The BSD-family of operating systems uses `packet filter (pf)`_. The following
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00			example describes the additions to ``pf.conf`` needed to access the Salt
			`master.`

Add the :: 2012-10-12 05:37:20 +00:00			`::`

Using a diff and not specifying that it is a diff in the doc... can be confusing 2012-10-12 04:27:36 +00:00			`pass in on $int_if proto tcp from any to $int_if port 4505`
			`pass in on $int_if proto tcp from any to $int_if port 4506`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			Once these additions have been made to the ``pf.conf`` the rules will need to
			be reloaded. This can be done using the ``pfctl`` command.
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
			`.. code-block:: bash`

			`pfctl -vf /etc/pf.conf`
documentation updates 2012-05-23 04:43:12 +00:00

Fixed several link target syntaxes 2012-06-10 16:23:42 +00:00			.. _`packet filter (pf)`: http://openbsd.org/faq/pf/