From d5caef6666f4936eba7604b012514456e652d5b5 Mon Sep 17 00:00:00 2001 From: Fabian Affolter Date: Mon, 24 Nov 2014 23:56:28 +0100 Subject: [PATCH] add section about fedora 18+ and rhel/centos 7 --- doc/topics/tutorials/firewall.rst | 46 +++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/doc/topics/tutorials/firewall.rst b/doc/topics/tutorials/firewall.rst index fa296137e5..8d6a48e42a 100644 --- a/doc/topics/tutorials/firewall.rst +++ b/doc/topics/tutorials/firewall.rst @@ -3,22 +3,44 @@ Opening the Firewall up for Salt ================================ The Salt master communicates with the minions using an AES-encrypted ZeroMQ -connection. These communications are done over TCP ports 4505 and 4506, which need -to be accessible on the master only. This document outlines suggested firewall -rules for allowing these incoming connections to the master. +connection. These communications are done over TCP ports **4505** and **4506**, +which need to be accessible on the master only. This document outlines suggested +firewall rules for allowing these incoming connections to the master. .. note:: No firewall configuration needs to be done on Salt minions. These changes refer to the master only. +Fedora 18 and beyond / RHEL 7 / CentOS 7 +======================================== + +Starting with Fedora 18 `FirewallD`_ is the tool that is used to dynamically +manage the firewall rules on a host. It has support for IPv4/6 settings and +the separation of runtime and permanent configurations. To interact with +FirewallD use the command line client ``firewall-cmd``. + +**firewall-cmd example**: + +.. code-block:: bash + + firewall-cmd --permanent --zone= --add-port=4505-4506/tcp + +Please choose the desired zone according to your setup. Don't forget to reload +after you made your changes. + +.. code-block:: bash + + firewall-cmd --reload + +.. _`FirewallD`: https://fedoraproject.org/wiki/FirewallD + RHEL 6 / CentOS 6 ================= The ``lokkit`` command packaged with some Linux distributions makes opening iptables firewall ports very simple via the command line. Just be careful -to not lock out access to the server by neglecting to open the ssh -port. +to not lock out access to the server by neglecting to open the ssh port. **lokkit example**: @@ -26,8 +48,8 @@ port. lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp -The ``system-config-firewall-tui`` command provides a text-based interface to modifying -the firewall. +The ``system-config-firewall-tui`` command provides a text-based interface to +modifying the firewall. **system-config-firewall-tui**: @@ -47,8 +69,9 @@ Enable with: SuSEfirewall2 open SuSEfirewall2 start -If you have an older package of Salt where the above configuration file is not included, the ``SuSEfirewall2`` command makes opening iptables firewall ports -very simple via the command line. +If you have an older package of Salt where the above configuration file is +not included, the ``SuSEfirewall2`` command makes opening iptables firewall +ports very simple via the command line. **SuSEfirewall example**: @@ -57,7 +80,8 @@ very simple via the command line. SuSEfirewall2 open EXT TCP 4505 SuSEfirewall2 open EXT TCP 4506 -The firewall module in YaST2 provides a text-based interface to modifying the firewall. +The firewall module in YaST2 provides a text-based interface to modifying the +firewall. **YaST2**: @@ -70,7 +94,7 @@ The firewall module in YaST2 provides a text-based interface to modifying the fi iptables ======== -Different Linux distributions store their `iptables` (also known as +Different Linux distributions store their `iptables` (also known as `netfilter`_) rules in different places, which makes it difficult to standardize firewall documentation. Included are some of the more common locations, but your mileage may vary.