Chapter 12
Firewall

Now that we have our configuration management system in place we can start defining our configuration.

The first task is to start securing our server. Security should always be defined as restrictive (most secure) first and then only relaxed enough to allow key functions required for the system to operate.

On our final system this currently means, for the master server, that some users will require access to drive Salt (initiating Salt operations) and Salt itself needs network access for communication between the Salt Master and any Minions we define.

On our development system we have the additional SSH requirements for Vargant to work, as noted in §7.3.

Given these two slight differences our configuration must account for environmental differences. Environments are first class concepts in Salt so we will look at the Salt environment system, but I don’t think this system is all that helpful and prefer another approach, which I investigate more fully as we proceed.

With that said let’s look at our first configuration the server’s host firewall.

12.1 What is a firewall?

Any computer attached to a network is vulnerable to attack. A firewall is just one of the tools available to protect a network and the computers on it.

Broadly speaking firewalls come in three types:

Network firewalls
These are typically dedicated network devices placed at key points in a network to protect parts of that network, often between untrusted and trusted networks (e.g. your company network and the internet).
Host firewalls
These are software that runs on a computer and typically protect that machine only.
Application firewalls
These are software, or subsystems, that control input and output of specific applications or services running on a host computer.

It is possible to have hybrid computers that act as both an network firewall, protecting whole or part of a network, but running other software too.

12.2 What does a firewall do?

In general a firewall inspects every network packet passing through it and, based on the ’firewall rules’, determine what to do with that packet; drop it, accept it, mark it, pass it to the destination, pass it for further processing, and so on.