We have three firewall configurations:

  • salt Our new VPN based on Wireguard

  • web, To restrict access to web sites via IP (port 80 and 443).

  • monitor, To allow ElasticSearch, APM client to post to the APM Server (which is running on our Kibana server), To configure the firewall for monitoring, see Deploy.

Wireguard - Configuration

Web - Configuration


This example was written for restricting access to a devpi server by IP address but it will work just as well for restricting access to a website running on port 80 and 443.

Find the external IP address of your workstation:

dig +short

Add it to config/firewall/devpi.sls in your pillar e.g:

    # web server
    # yourbiz


Please add a comment to show which server / workstation has the IP address.

Copy the pillar to your Salt master and run a state.apply to update the firewall on your monitor server e.g:

salt 'my-server' state.apply --state-verbose=False