2012-03-18 23:44:06 +00:00
|
|
|
================================
|
|
|
|
Opening the Firewall up for Salt
|
|
|
|
================================
|
2012-02-29 20:39:07 +00:00
|
|
|
|
|
|
|
The Salt master communicates with the minions using an AES-encrypted ZeroMQ
|
|
|
|
connection. These communications are done over ports 4505 and 4506, which need
|
|
|
|
to be accessible on the master only. This document outlines suggested firewall
|
|
|
|
rules for allowing these incoming connections to the master.
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
**No firewall configuration needs to be done on Salt minions. These changes
|
|
|
|
refer to the master only.**
|
|
|
|
|
|
|
|
iptables
|
|
|
|
========
|
|
|
|
|
2012-05-23 04:43:12 +00:00
|
|
|
Different Linux distributions store their `iptables`_ rules in different places,
|
2012-02-29 20:39:07 +00:00
|
|
|
which makes it difficult to standardize firewall documentation. I've included
|
|
|
|
some of the more common locations, but your mileage may vary.
|
|
|
|
|
|
|
|
**Fedora / Red Hat / CentOS** ::
|
|
|
|
|
|
|
|
/etc/sysconfig/iptables
|
|
|
|
|
|
|
|
**Arch Linux** ::
|
|
|
|
|
2012-03-18 23:44:06 +00:00
|
|
|
/etc/iptables/iptables.rules
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2012-03-18 23:44:06 +00:00
|
|
|
**Debian**
|
2012-02-29 20:39:07 +00:00
|
|
|
|
2012-03-18 23:44:06 +00:00
|
|
|
Follow these instructions: http://wiki.debian.org/iptables
|
2012-02-29 20:39:07 +00:00
|
|
|
|
|
|
|
Once you've found your firewall rules, you'll need to add the two lines below
|
|
|
|
to allow traffic on ``tcp/4505`` and ``tcp/4506``:
|
|
|
|
|
|
|
|
.. code-block:: diff
|
|
|
|
|
|
|
|
+ -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
|
|
|
|
+ -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT
|
|
|
|
|
2012-03-18 23:44:06 +00:00
|
|
|
**Ubuntu**
|
|
|
|
|
|
|
|
Create a file named ``/etc/ufw/applications.d/salt-master`` ::
|
|
|
|
|
2012-05-23 04:43:12 +00:00
|
|
|
[Salt Master]
|
|
|
|
title=Salt master
|
|
|
|
description=Salt is a remote execution and configuration management tool.
|
|
|
|
ports=4505,4506/tcp
|
|
|
|
|
|
|
|
.. _`iptables`: http://www.netfilter.org/
|
2012-03-18 23:44:06 +00:00
|
|
|
|
2012-02-29 20:39:07 +00:00
|
|
|
pf.conf
|
|
|
|
=======
|
|
|
|
|
2012-05-23 04:43:12 +00:00
|
|
|
The BSD-family of operating systems uses `packet filter (pf)`_. The following
|
2012-02-29 20:39:07 +00:00
|
|
|
example describes the additions to ``pf.conf`` needed to access the Salt
|
|
|
|
master.
|
|
|
|
|
|
|
|
.. code-block:: diff
|
|
|
|
|
|
|
|
+ pass in on $int_if proto tcp from any to $int_if port 4505
|
|
|
|
+ pass in on $int_if proto tcp from any to $int_if port 4506
|
|
|
|
|
|
|
|
Once you've made these additions to your ``pf.conf`` you'll need to reload the
|
|
|
|
new rules with the new additions. This can be done using the ``pfctl`` command.
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
pfctl -vf /etc/pf.conf
|
2012-05-23 04:43:12 +00:00
|
|
|
|
|
|
|
|
|
|
|
.. _ `packet filter (pf)`: http://openbsd.org/faq/pf/
|