valitydev/salt
14
0
Fork 0
mirror of https://github.com/valitydev/salt.git synced 2024-11-07 17:09:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #18448 from fabaff/doc-firewall

Browse Source 
add section about fedora 18+ and rhel/centos 7
This commit is contained in:
Thomas S Hatch 2014-11-25 09:34:04 -07:00
commit 389aae80b9
1 changed files with 35 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
doc/topics/tutorials/firewall.rst
View File

@ -3,22 +3,44 @@ Opening the Firewall up for Salt
================================
The Salt master communicates with the minions using an AES-encrypted ZeroMQ
connection. These communications are done over TCP ports 4505 and 4506, which need
to be accessible on the master only. This document outlines suggested firewall
rules for allowing these incoming connections to the master.
connection. These communications are done over TCP ports **4505** and **4506**,
which need to be accessible on the master only. This document outlines suggested
firewall rules for allowing these incoming connections to the master.
.. note::
No firewall configuration needs to be done on Salt minions. These changes
refer to the master only.
Fedora 18 and beyond / RHEL 7 / CentOS 7
========================================
Starting with Fedora 18 `FirewallD`_ is the tool that is used to dynamically
manage the firewall rules on a host. It has support for IPv4/6 settings and
the separation of runtime and permanent configurations. To interact with
FirewallD use the command line client ``firewall-cmd``.
**firewall-cmd example**:
.. code-block:: bash
firewall-cmd --permanent --zone=<zone> --add-port=4505-4506/tcp
Please choose the desired zone according to your setup. Don't forget to reload
after you made your changes.
.. code-block:: bash
firewall-cmd --reload
.. _`FirewallD`: https://fedoraproject.org/wiki/FirewallD
RHEL 6 / CentOS 6
=================
The ``lokkit`` command packaged with some Linux distributions makes opening
iptables firewall ports very simple via the command line. Just be careful
to not lock out access to the server by neglecting to open the ssh
port.
to not lock out access to the server by neglecting to open the ssh port.
**lokkit example**:
@ -26,8 +48,8 @@ port.
lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp
The ``system-config-firewall-tui`` command provides a text-based interface to modifying
the firewall.
The ``system-config-firewall-tui`` command provides a text-based interface to
modifying the firewall.
**system-config-firewall-tui**:
@ -47,8 +69,9 @@ Enable with:
SuSEfirewall2 open
SuSEfirewall2 start
If you have an older package of Salt where the above configuration file is not included, the ``SuSEfirewall2`` command makes opening iptables firewall ports
very simple via the command line.
If you have an older package of Salt where the above configuration file is
not included, the ``SuSEfirewall2`` command makes opening iptables firewall
ports very simple via the command line.
**SuSEfirewall example**:
@ -57,7 +80,8 @@ very simple via the command line.
SuSEfirewall2 open EXT TCP 4505
SuSEfirewall2 open EXT TCP 4506
The firewall module in YaST2 provides a text-based interface to modifying the firewall.
The firewall module in YaST2 provides a text-based interface to modifying the
firewall.
**YaST2**:
@ -70,7 +94,7 @@ The firewall module in YaST2 provides a text-based interface to modifying the fi
iptables
========
Different Linux distributions store their `iptables` (also known as
Different Linux distributions store their `iptables` (also known as
`netfilter`_) rules in different places, which makes it difficult to
standardize firewall documentation. Included are some of the more
common locations, but your mileage may vary.