We have three firewall configurations:
saltOur new VPN based on Wireguard
web, To restrict access to web sites via IP (port 80 and 443).
monitor, To allow ElasticSearch, APM client to post to the APM Server (which is running on our Kibana server), To configure the firewall for monitoring, see Deploy.
Wireguard - Configuration
Start by adding the server to the VPN…
The firewall details are stored in the site file (
Add the following to the
sites pillar e.g.
server_meta: configure_default_site: True sshd_interface_ips: - 10.10.2.15 firewall: ports: - 80 - 443 - 51820
configure_default_site- (PJK 13/11/2021 TODO) what does this do?
sshd_interface_ipsis the IP address of your server on the VPN (see VPN)…
firewall- list the
portswhich you want open. This example has our standard configuration (80 and 443 for the web and 51820 for Wireguard).
To open the
ssh port, add port 22 to the
firewall and remove the
server_meta: configure_default_site: True # sshd_interface_ips: # - 10.10.2.15 firewall: ports: - 22 - 80 - 443 - 51820
After applying the Salt state, restart the ssh service i.e.
systemctl restart sshd.service
To check your public keys:
Generate your public key:
sudo grep Private /etc/wireguard/wg1.conf | cut -d' ' -f3 | sudo wg pubkey
Compare the generated public key with the one on the VPN server.
nmap to check for open ports:
sudo nmap -O www.hatherleigh.info
nmap only detects ports that are actively listening - you can use
netstat -nlp on the server to get a fuller list of ports.
nmap check should only be done on servers you have
permission to scan.
For more information, see How To Use Nmap to Scan for Open Ports
Web - Configuration
This example was written for restricting access to a devpi server by IP address but it will work just as well for restricting access to a website running on port 80 and 443.
Find the external IP address of your workstation:
dig +short myip.opendns.com @resolver1.opendns.com
Add it to
config/firewall/devpi.sls in your pillar e.g:
firewall: web: # web server - 22.214.171.124 # yourbiz - 126.96.36.199
Please add a comment to show which server / workstation has the IP address.
Copy the pillar to your Salt master and run a
state.apply to update the
firewall on your monitor server e.g:
salt 'my-server' state.apply --state-verbose=False