1
0

firewall.rst 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236
  1. .. _firewall:
  2. ================================
  3. Opening the Firewall up for Salt
  4. ================================
  5. The Salt master communicates with the minions using an AES-encrypted ZeroMQ
  6. connection. These communications are done over TCP ports **4505** and **4506**,
  7. which need to be accessible on the master only. This document outlines suggested
  8. firewall rules for allowing these incoming connections to the master.
  9. .. note::
  10. No firewall configuration needs to be done on Salt minions. These changes
  11. refer to the master only.
  12. Fedora 18 and beyond / RHEL 7 / CentOS 7
  13. ========================================
  14. Starting with Fedora 18 `FirewallD`_ is the tool that is used to dynamically
  15. manage the firewall rules on a host. It has support for IPv4/6 settings and
  16. the separation of runtime and permanent configurations. To interact with
  17. FirewallD use the command line client ``firewall-cmd``.
  18. **firewall-cmd example**:
  19. .. code-block:: bash
  20. firewall-cmd --permanent --zone=<zone> --add-port=4505-4506/tcp
  21. A network zone defines the security level of trust for the the network.
  22. The user should choose an appropriate zone value for their setup.
  23. Possible values include: drop, block, public, external, dmz, work, home, internal, trusted.
  24. Don't forget to reload after you made your changes.
  25. .. code-block:: bash
  26. firewall-cmd --reload
  27. .. _`FirewallD`: https://fedoraproject.org/wiki/FirewallD
  28. RHEL 6 / CentOS 6
  29. =================
  30. The ``lokkit`` command packaged with some Linux distributions makes opening
  31. iptables firewall ports very simple via the command line. Just be careful
  32. to not lock out access to the server by neglecting to open the ssh port.
  33. **lokkit example**:
  34. .. code-block:: bash
  35. lokkit -p 22:tcp -p 4505:tcp -p 4506:tcp
  36. The ``system-config-firewall-tui`` command provides a text-based interface to
  37. modifying the firewall.
  38. **system-config-firewall-tui**:
  39. .. code-block:: bash
  40. system-config-firewall-tui
  41. openSUSE
  42. ========
  43. Salt installs firewall rules in :blob:`/etc/sysconfig/SuSEfirewall2.d/services/salt <pkg/suse/salt.SuSEfirewall2>`.
  44. Enable with:
  45. .. code-block:: bash
  46. SuSEfirewall2 open
  47. SuSEfirewall2 start
  48. If you have an older package of Salt where the above configuration file is
  49. not included, the ``SuSEfirewall2`` command makes opening iptables firewall
  50. ports very simple via the command line.
  51. **SuSEfirewall example**:
  52. .. code-block:: bash
  53. SuSEfirewall2 open EXT TCP 4505
  54. SuSEfirewall2 open EXT TCP 4506
  55. The firewall module in YaST2 provides a text-based interface to modifying the
  56. firewall.
  57. **YaST2**:
  58. .. code-block:: bash
  59. yast2 firewall
  60. Windows
  61. =======
  62. Windows Firewall is the default component of Microsoft Windows that provides
  63. firewalling and packet filtering. There are many 3rd party firewalls available
  64. for Windows, some of which use rules from the Windows Firewall. If you are
  65. experiencing problems see the vendor's specific documentation for opening the
  66. required ports.
  67. The Windows Firewall can be configured using the Windows Interface or from the
  68. command line.
  69. **Windows Firewall (interface)**:
  70. 1. Open the Windows Firewall Interface by typing ``wf.msc`` at the command
  71. prompt or in a run dialog (*Windows Key + R*)
  72. 2. Navigate to **Inbound Rules** in the console tree
  73. 3. Add a new rule by clicking **New Rule...** in the Actions area
  74. 4. Change the Rule Type to **Port**. Click **Next**
  75. 5. Set the Protocol to **TCP** and specify local ports **4505-4506**. Click
  76. **Next**
  77. 6. Set the Action to **Allow the connection**. Click **Next**
  78. 7. Apply the rule to **Domain**, **Private**, and **Public**. Click **Next**
  79. 8. Give the new rule a Name, ie: **Salt**. You may also add a description. Click
  80. **Finish**
  81. **Windows Firewall (command line)**:
  82. The Windows Firewall rule can be created by issuing a single command. Run the
  83. following command from the command line or a run prompt:
  84. .. code-block:: bash
  85. netsh advfirewall firewall add rule name="Salt" dir=in action=allow protocol=TCP localport=4505-4506
  86. .. _linux-iptables:
  87. iptables
  88. ========
  89. Different Linux distributions store their `iptables` (also known as
  90. `netfilter`_) rules in different places, which makes it difficult to
  91. standardize firewall documentation. Included are some of the more
  92. common locations, but your mileage may vary.
  93. .. _`netfilter`: http://www.netfilter.org/
  94. **Fedora / RHEL / CentOS**:
  95. .. code-block:: text
  96. /etc/sysconfig/iptables
  97. **Arch Linux**:
  98. .. code-block:: text
  99. /etc/iptables/iptables.rules
  100. **Debian**
  101. Follow these instructions: https://wiki.debian.org/iptables
  102. Once you've found your firewall rules, you'll need to add the below line
  103. to allow traffic on ``tcp/4505`` and ``tcp/4506``:
  104. .. code-block:: text
  105. -A INPUT -m state --state new -m tcp -p tcp --dport 4505:4506 -j ACCEPT
  106. **Ubuntu**
  107. Salt installs firewall rules in :blob:`/etc/ufw/applications.d/salt.ufw
  108. <pkg/salt.ufw>`. Enable with:
  109. .. code-block:: bash
  110. ufw allow salt
  111. pf.conf
  112. =======
  113. The BSD-family of operating systems uses `packet filter (pf)`_. The following
  114. example describes the addition to ``pf.conf`` needed to access the Salt
  115. master.
  116. .. code-block:: text
  117. pass in on $int_if proto tcp from any to $int_if port 4505:4506
  118. Once this addition has been made to the ``pf.conf`` the rules will need to
  119. be reloaded. This can be done using the ``pfctl`` command.
  120. .. code-block:: bash
  121. pfctl -vf /etc/pf.conf
  122. .. _`packet filter (pf)`: http://openbsd.org/faq/pf/
  123. =================================
  124. Whitelist communication to Master
  125. =================================
  126. There are situations where you want to selectively allow Minion traffic
  127. from specific hosts or networks into your Salt Master. The first
  128. scenario which comes to mind is to prevent unwanted traffic to your
  129. Master out of security concerns, but another scenario is to handle
  130. Minion upgrades when there are backwards incompatible changes between
  131. the installed Salt versions in your environment.
  132. Here is an example :ref:`Linux iptables <linux-iptables>` ruleset to
  133. be set on the Master:
  134. .. code-block:: bash
  135. # Allow Minions from these networks
  136. -I INPUT -s 10.1.2.0/24 -p tcp --dports 4505:4506 -j ACCEPT
  137. -I INPUT -s 10.1.3.0/24 -p tcp --dports 4505:4506 -j ACCEPT
  138. # Allow Salt to communicate with Master on the loopback interface
  139. -A INPUT -i lo -p tcp --dports 4505:4506 -j ACCEPT
  140. # Reject everything else
  141. -A INPUT -p tcp --dports 4505:4506 -j REJECT
  142. .. note::
  143. The important thing to note here is that the ``salt`` command
  144. needs to communicate with the listening network socket of
  145. ``salt-master`` on the *loopback* interface. Without this you will
  146. see no outgoing Salt traffic from the master, even for a simple
  147. ``salt '*' test.version``, because the ``salt`` client never reached
  148. the ``salt-master`` to tell it to carry out the execution.