Browse Source

Add more configuration for firewall (ferm)

Emmanuel Bouthenot 10 years ago
parent
commit
efbdb63360
2 changed files with 11 additions and 11 deletions
  1. 1 1
      roles/common/defaults/main.yml
  2. 10 10
      roles/common/templates/ferm/ferm.conf.j2

+ 1 - 1
roles/common/defaults/main.yml

@@ -25,7 +25,7 @@ with_chkrootkit: False
 with_hideproc: False
 
 with_firewall: False
-firewall_opened_ports:
+firewall_public:
   - 'ssh'
   - 'http'
   - 'https'

+ 10 - 10
roles/common/templates/ferm/ferm.conf.j2

@@ -6,15 +6,7 @@
 #  Configuration file for ferm(1).
 #
 
-@def $PORTS = (
-{%- if firewall_opened_ports -%}
-{% for port in firewall_opened_ports %}{{ port }} {% endfor %}
-{%- endif -%}
-{%- if ssh_port is defined -%}{{ ssh_port }} {%- endif -%}
-{%- if ssh_ports_extra is defined -%}
-{% for port in ssh_ports_extra %}{{ port }} {% endfor %}
-{%- endif -%}
-); # Services running
+@def $PORTS = ({{ firewall_public | join(' ') }}); # Services running worldwide
 
 table filter {
     chain INPUT {
@@ -31,7 +23,15 @@ table filter {
         proto icmp icmp-type echo-request ACCEPT;
 
         # standard ports we allow from the outside
-        proto tcp dport $PORTS ACCEPT;
+        proto (udp tcp) dport $PORTS ACCEPT;
+{% if firewall_private is defined %}
+        # Private networks configuration
+{% for fwconf in firewall_private %}
+        interface {{ fwconf.interface }}{% if fwconf.network is defined %} saddr {{ fwconf.network }}{% endif %} {
+            proto (udp tcp) dport ({{ fwconf.ports | join(' ') }}) ACCEPT;
+        }
+{% endfor %}
+{% endif %}
     }
 
     chain OUTPUT {