Firewall and network configuration
Finally, a short word on firewall and network configuration.
Salt is designed so that ports only need to be opened on the Salt master. This is convenient as the firewall settings only need to be modified on one machine. (Refer to Chapter 1, Diving In – Our First Salt Commands, for instructions on how to open the necessary ports on the master.)
However, this also means that we're opening ports on the most critical piece of our infrastructure. If our Salt master is compromised, the attacker could gain the equivalent of root access across our entire infrastructure!
Because of this single point of failure, it is recommended that your master should not be open to the public Internet, if possible. This is much less convenient, as external minions must be connected to the Salt master's private network (usually via a VPN), but makes it astronomically more difficult for an attacker to access the master.
If the master must be connected to the Internet at large, other...
