Firewall

We have three firewall configurations:

  • salt Our new VPN based on Wireguard

  • web, To restrict access to web sites via IP (port 80 and 443).

  • monitor, To allow ElasticSearch, APM client to post to the APM Server (which is running on our Kibana server), To configure the firewall for monitoring, see Deploy.

Wireguard - Configuration

Tip

Start by adding the server to the VPN

The firewall details are stored in the site file (server_meta). Add the following to the sites pillar e.g. sites/kb101.sls:

server_meta:
  configure_default_site: True
  sshd_interface_ips:
    - 10.10.2.15
  firewall:
    ports:
      - 80
      - 443
      - 51820
  • configure_default_site - (PJK 13/11/2021 TODO) what does this do?

  • sshd_interface_ips is the IP address of your server on the VPN (see VPN)…

  • firewall - list the ports which you want open. This example has our standard configuration (80 and 443 for the web and 51820 for Wireguard).

ssh

To open the ssh port, add port 22 to the firewall and remove the sshd_interface_ips e.g:

server_meta:
  configure_default_site: True
  # sshd_interface_ips:
  #  - 10.10.2.15
  firewall:
    ports:
      - 22
      - 80
      - 443
      - 51820

Tip

After applying the Salt state, restart the ssh service i.e. systemctl restart sshd.service

Web - Configuration

Note

This example was written for restricting access to a devpi server by IP address but it will work just as well for restricting access to a website running on port 80 and 443.

Find the external IP address of your workstation:

dig +short myip.opendns.com @resolver1.opendns.com

Add it to config/firewall/devpi.sls in your pillar e.g:

firewall:
  web:
    # web server
    - 13.16.24.14
    # yourbiz
    - 91.85.167.37

Tip

Please add a comment to show which server / workstation has the IP address.

Copy the pillar to your Salt master and run a state.apply to update the firewall on your monitor server e.g:

salt 'my-server' state.apply --state-verbose=False