salt/doc/topics/tutorials/firewall.rst

================================
Opening the Firewall up for Salt
================================

The Salt master communicates with the minions using an AES-encrypted ZeroMQ
connection. These communications are done over ports 4505 and 4506, which need
to be accessible on the master only. This document outlines suggested firewall
rules for allowing these incoming connections to the master.

.. note::

    No firewall configuration needs to be done on Salt minions. These changes
    refer to the master only.

RHEL 6 / CENTOS 6
=================

The lokkit command packaged with some Linux distributions makes opening
iptables firewall ports very simple via the command line. Just be careful
to not lock out access to the server by neglecting to open the ssh
port.

**lokkit example**:

.. code-block:: bash

   lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp

The system-config-firewall-tui command provides a text-based interface to modifying
the firewall.

**system-config-firewall-tui**:

.. code-block:: bash

   system-config-firewall-tui


openSUSE
========

Salt installs firewall rules in :blob:`/etc/sysconfig/SuSEfirewall2.d/services/salt <pkg/suse/SuSEfirewall2-salt>`.
Enable with:

.. code-block:: bash

    SuSEfirewall2 open
    SuSEfirewall2 start

If you have an older package of Salt where the above configuration file is not included, the ``SuSEfirewall2`` command makes opening iptables firewall ports
very simple via the command line.

**SuSEfirewall example**:

.. code-block:: bash

   SuSEfirewall2 open EXT TCP 4505
   SuSEfirewall2 open EXT TCP 4506

The firewall module in YaST2 provides a text-based interface to modifying the firewall.

**YaST2**:

.. code-block:: bash

   yast2 firewall


iptables
========

Different Linux distributions store their `iptables`_ rules in different places,
which makes it difficult to standardize firewall documentation. Included are
some of the more common locations, but your mileage may vary.

**Fedora / RHEL / CentOS**:

.. code-block:: bash

    /etc/sysconfig/iptables

**Arch Linux**:

.. code-block:: bash

    /etc/iptables/iptables.rules

**Debian**

Follow these instructions: http://wiki.debian.org/iptables

Once you've found your firewall rules, you'll need to add the two lines below
to allow traffic on ``tcp/4505`` and ``tcp/4506``:

.. code-block:: bash

    -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
    -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT

**Ubuntu**

Salt installs firewall rules in :blob:`/etc/ufw/applications.d/salt.ufw
<pkg/salt.ufw>`. Enable with:

.. code-block:: bash

    ufw allow salt

.. _`salt.ufw`: http://github.com/saltstack/salt/blob/develop/pkg/salt.ufw
.. _`iptables`: http://www.netfilter.org/

pf.conf
=======

The BSD-family of operating systems uses `packet filter (pf)`_. The following
example describes the additions to ``pf.conf`` needed to access the Salt
master.

.. code-block:: bash

    pass in on $int_if proto tcp from any to $int_if port 4505
    pass in on $int_if proto tcp from any to $int_if port 4506

Once these additions have been made to the ``pf.conf`` the rules will need to
be reloaded. This can be done using the ``pfctl`` command.

.. code-block:: bash

    pfctl -vf /etc/pf.conf

.. _`packet filter (pf)`: http://openbsd.org/faq/pf/
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`================================`
			`Opening the Firewall up for Salt`
			`================================`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
			`The Salt master communicates with the minions using an AES-encrypted ZeroMQ`
			`connection. These communications are done over ports 4505 and 4506, which need`
			`to be accessible on the master only. This document outlines suggested firewall`
			`rules for allowing these incoming connections to the master.`

			`.. note::`

Docs formatting fixes 2013-08-25 04:19:54 +00:00			`No firewall configuration needs to be done on Salt minions. These changes`
			`refer to the master only.`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
fixed the lokkit example that I gave before. added new system-config-firewall-tui command. 2012-07-19 07:42:46 +00:00			`RHEL 6 / CENTOS 6`
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			`=================`
added information on how to properly configure the firewall for salt-masters on CentOS 6 / RHEL. 2012-07-19 04:06:45 +00:00
capitalize Linux in comments/docs 2013-05-10 00:06:29 +00:00			`The lokkit command packaged with some Linux distributions makes opening`
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			`iptables firewall ports very simple via the command line. Just be careful`
			`to not lock out access to the server by neglecting to open the ssh`
			`port.`
added information on how to properly configure the firewall for salt-masters on CentOS 6 / RHEL. 2012-07-19 04:06:45 +00:00
Formatting fixes This completes the documentation audit begun in cf365f7, using proper backticks and :strong: tags to emphasize text, converting groups of shell commands to bash code-block sections, etc. This also replaces the use of \* with the easier-to-grok '*', which will hopefully reduce confusion among new users. 2013-08-12 03:17:47 +00:00			`lokkit example:`

			`.. code-block:: bash`
fixed the lokkit example that I gave before. added new system-config-firewall-tui command. 2012-07-19 07:42:46 +00:00
			`lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp`

			`The system-config-firewall-tui command provides a text-based interface to modifying`
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			`the firewall.`
fixed the lokkit example that I gave before. added new system-config-firewall-tui command. 2012-07-19 07:42:46 +00:00
Formatting fixes This completes the documentation audit begun in cf365f7, using proper backticks and :strong: tags to emphasize text, converting groups of shell commands to bash code-block sections, etc. This also replaces the use of \* with the easier-to-grok '*', which will hopefully reduce confusion among new users. 2013-08-12 03:17:47 +00:00			`system-config-firewall-tui:`

			`.. code-block:: bash`
fixed the lokkit example that I gave before. added new system-config-firewall-tui command. 2012-07-19 07:42:46 +00:00
			`system-config-firewall-tui`
added information on how to properly configure the firewall for salt-masters on CentOS 6 / RHEL. 2012-07-19 04:06:45 +00:00

Add documentation for SuSEfirewall2 2013-09-17 13:27:23 +00:00			`openSUSE`
			`========`

			Salt installs firewall rules in :blob:`/etc/sysconfig/SuSEfirewall2.d/services/salt <pkg/suse/SuSEfirewall2-salt>`.
			`Enable with:`

			`.. code-block:: bash`

			`SuSEfirewall2 open`
			`SuSEfirewall2 start`

			If you have an older package of Salt where the above configuration file is not included, the ``SuSEfirewall2`` command makes opening iptables firewall ports
			`very simple via the command line.`

			`SuSEfirewall example:`

			`.. code-block:: bash`

			`SuSEfirewall2 open EXT TCP 4505`
			`SuSEfirewall2 open EXT TCP 4506`

			`The firewall module in YaST2 provides a text-based interface to modifying the firewall.`

			`YaST2:`

			`.. code-block:: bash`

			`yast2 firewall`


initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00			`iptables`
			`========`

documentation updates 2012-05-23 04:43:12 +00:00			Different Linux distributions store their `iptables`_ rules in different places,
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			`which makes it difficult to standardize firewall documentation. Included are`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00			`some of the more common locations, but your mileage may vary.`

Formatting fixes This completes the documentation audit begun in cf365f7, using proper backticks and :strong: tags to emphasize text, converting groups of shell commands to bash code-block sections, etc. This also replaces the use of \* with the easier-to-grok '*', which will hopefully reduce confusion among new users. 2013-08-12 03:17:47 +00:00			`Fedora / RHEL / CentOS:`

			`.. code-block:: bash`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
			`/etc/sysconfig/iptables`

Formatting fixes This completes the documentation audit begun in cf365f7, using proper backticks and :strong: tags to emphasize text, converting groups of shell commands to bash code-block sections, etc. This also replaces the use of \* with the easier-to-grok '*', which will hopefully reduce confusion among new users. 2013-08-12 03:17:47 +00:00			`Arch Linux:`

			`.. code-block:: bash`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`/etc/iptables/iptables.rules`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`Debian`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`Follow these instructions: http://wiki.debian.org/iptables`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
			`Once you've found your firewall rules, you'll need to add the two lines below`
			to allow traffic on ``tcp/4505`` and ``tcp/4506``:

Formatting fixes This completes the documentation audit begun in cf365f7, using proper backticks and :strong: tags to emphasize text, converting groups of shell commands to bash code-block sections, etc. This also replaces the use of \* with the easier-to-grok '*', which will hopefully reduce confusion among new users. 2013-08-12 03:17:47 +00:00			`.. code-block:: bash`
Add the :: 2012-10-12 05:37:20 +00:00
Using a diff and not specifying that it is a diff in the doc... can be confusing 2012-10-12 04:27:36 +00:00			`-A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT`
			`-A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00			`Ubuntu`

Switched hard-coded URL to use the :blob: ref 2013-03-04 21:38:36 +00:00			Salt installs firewall rules in :blob:`/etc/ufw/applications.d/salt.ufw
Formatting fixes This completes the documentation audit begun in cf365f7, using proper backticks and :strong: tags to emphasize text, converting groups of shell commands to bash code-block sections, etc. This also replaces the use of \* with the easier-to-grok '*', which will hopefully reduce confusion among new users. 2013-08-12 03:17:47 +00:00			<pkg/salt.ufw>`. Enable with:

			`.. code-block:: bash`
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00
Ubuntu firewall rules are already included 2013-02-26 18:19:46 +00:00			`ufw allow salt`
documentation updates 2012-05-23 04:43:12 +00:00
Ubuntu firewall rules are already included 2013-02-26 18:19:46 +00:00			.. _`salt.ufw`: http://github.com/saltstack/salt/blob/develop/pkg/salt.ufw
documentation updates 2012-05-23 04:43:12 +00:00			.. _`iptables`: http://www.netfilter.org/
Added doc bits about firewall config on Ubuntu and Debian 2012-03-18 23:44:06 +00:00
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00			`pf.conf`
			`=======`

documentation updates 2012-05-23 04:43:12 +00:00			The BSD-family of operating systems uses `packet filter (pf)`_. The following
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00			example describes the additions to ``pf.conf`` needed to access the Salt
			`master.`

Formatting fixes This completes the documentation audit begun in cf365f7, using proper backticks and :strong: tags to emphasize text, converting groups of shell commands to bash code-block sections, etc. This also replaces the use of \* with the easier-to-grok '*', which will hopefully reduce confusion among new users. 2013-08-12 03:17:47 +00:00			`.. code-block:: bash`
Add the :: 2012-10-12 05:37:20 +00:00
Using a diff and not specifying that it is a diff in the doc... can be confusing 2012-10-12 04:27:36 +00:00			`pass in on $int_if proto tcp from any to $int_if port 4505`
			`pass in on $int_if proto tcp from any to $int_if port 4506`
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
change the tense of the document. Documentation should not use "I" or "you" statements 2012-07-19 16:16:58 +00:00			Once these additions have been made to the ``pf.conf`` the rules will need to
			be reloaded. This can be done using the ``pfctl`` command.
initial attempt at a firewall doc for salt master 2012-02-29 20:39:07 +00:00
			`.. code-block:: bash`

			`pfctl -vf /etc/pf.conf`
documentation updates 2012-05-23 04:43:12 +00:00
Fixed several link target syntaxes 2012-06-10 16:23:42 +00:00			.. _`packet filter (pf)`: http://openbsd.org/faq/pf/