From 8e837c23d1b32a7fd1f572ae6a0100b72f3c350e Mon Sep 17 00:00:00 2001 From: Ronny Trommer Date: Sat, 14 Nov 2015 01:03:09 +0100 Subject: [PATCH] Create OpenNMS ferm IP tables rules and allow to divide policies for several components like WebUI, Trapd, Syslogd. Lockdown all common management ports to localhost only. --- state/opennms/common.sls | 8 ++++++++ state/opennms/ferm.common.conf | 25 +++++++++++++++++++++++++ state/opennms/ferm.syslogd.conf | 10 ++++++++++ state/opennms/ferm.trapd.conf | 10 ++++++++++ state/opennms/ferm.web.conf | 13 +++++++++++++ state/opennms/syslogd.sls | 9 +++++++++ state/opennms/trapd.sls | 9 +++++++++ state/opennms/web.sls | 9 +++++++++ 8 files changed, 93 insertions(+) create mode 100644 state/opennms/common.sls create mode 100644 state/opennms/ferm.common.conf create mode 100644 state/opennms/ferm.syslogd.conf create mode 100644 state/opennms/ferm.trapd.conf create mode 100644 state/opennms/ferm.web.conf create mode 100644 state/opennms/syslogd.sls create mode 100644 state/opennms/trapd.sls create mode 100644 state/opennms/web.sls diff --git a/state/opennms/common.sls b/state/opennms/common.sls new file mode 100644 index 0000000..69d30bd --- /dev/null +++ b/state/opennms/common.sls @@ -0,0 +1,8 @@ +# Firewall configuration +# +# Hardening OpenNMS and don't allow RMI 1099 port on IPv4 and IPv6 +ferm.opennms.common: + file.managed: + - name: /etc/ferm.d/20-opennms-common.conf + - source: salt://opennms/ferm.common.conf + - makedirs: True diff --git a/state/opennms/ferm.common.conf b/state/opennms/ferm.common.conf new file mode 100644 index 0000000..df29c75 --- /dev/null +++ b/state/opennms/ferm.common.conf @@ -0,0 +1,25 @@ +# DO NOT CHANGE THIS FILE IT IS CONTROLLED BY SALTSTACK! +# +# IPv4 / IPv6 firewall +# - RMI registry 1099 +# - Apache Karaf admin console +# - JMX monitoring +# - Active MQ +# +domain ip +table filter { + chain INPUT { + proto tcp dport (1099 8101 18980 61616) { + saddr 127.0.0.1/32 ACCEPT; + } + } +} + +domain ip6 +table filter { + chain INPUT { + proto tcp dport (1099 8101 18980 61616) { + saddr ::1/128 ACCEPT; + } + } +} diff --git a/state/opennms/ferm.syslogd.conf b/state/opennms/ferm.syslogd.conf new file mode 100644 index 0000000..58158c6 --- /dev/null +++ b/state/opennms/ferm.syslogd.conf @@ -0,0 +1,10 @@ +# DO NOT CHANGE THIS FILE IT IS CONTROLLED BY SALTSTACK! +# +# IPv4 / IPv6 firewall - Syslog daemon rule + +domain (ip ip6) +table filter { + chain INPUT { + proto udp dport 10514 ACCEPT; + } +} diff --git a/state/opennms/ferm.trapd.conf b/state/opennms/ferm.trapd.conf new file mode 100644 index 0000000..92e40c1 --- /dev/null +++ b/state/opennms/ferm.trapd.conf @@ -0,0 +1,10 @@ +# DO NOT CHANGE THIS FILE IT IS CONTROLLED BY SALTSTACK! +# +# IPv4 / IPv6 firewall - SNMP Trap daemon rule + +domain (ip ip6) +table filter { + chain INPUT { + proto udp dport 162 ACCEPT; + } +} diff --git a/state/opennms/ferm.web.conf b/state/opennms/ferm.web.conf new file mode 100644 index 0000000..630d559 --- /dev/null +++ b/state/opennms/ferm.web.conf @@ -0,0 +1,13 @@ +# DO NOT CHANGE THIS FILE IT IS CONTROLLED BY SALTSTACK! +# +# IPv4 / IPv6 firewall - Web application rule + +domain (ip ip6) +table filter { + chain INPUT { + proto tcp dport 8980 { + mod conntrack ctstate NEW + ACCEPT; + } + } +} diff --git a/state/opennms/syslogd.sls b/state/opennms/syslogd.sls new file mode 100644 index 0000000..6485718 --- /dev/null +++ b/state/opennms/syslogd.sls @@ -0,0 +1,9 @@ +# Firewall configuration +# + +# Allow OpenNMS to receive Syslog messages +ferm.opennms.syslogd: + file.managed: + - name: /etc/ferm.d/20-opennms-syslogd.conf + - source: salt://opennms/ferm.syslogd.conf + - makedirs: True diff --git a/state/opennms/trapd.sls b/state/opennms/trapd.sls new file mode 100644 index 0000000..4301f8b --- /dev/null +++ b/state/opennms/trapd.sls @@ -0,0 +1,9 @@ +# Firewall configuration +# + +# Allow OpenNMS to receive SNMP Traps +ferm.opennms.trapd: + file.managed: + - name: /etc/ferm.d/20-opennms-trapd.conf + - source: salt://opennms/ferm.trapd.conf + - makedirs: True diff --git a/state/opennms/web.sls b/state/opennms/web.sls new file mode 100644 index 0000000..3f17a23 --- /dev/null +++ b/state/opennms/web.sls @@ -0,0 +1,9 @@ +# Firewall configuration +# + +# Allow access to the WebUI +ferm.opennms.web: + file.managed: + - name: /etc/ferm.d/20-opennms-web.conf + - source: salt://opennms/ferm.web.conf + - makedirs: True