{% if ansible_controlled is defined and ansible_controlled != "" %} # # {{ ansible_controlled }} # {% endif %} # # Configuration file for ferm(1). # # Detecting network interface assiociated with default route {% if firewall_interface is defined and firewall_interface %} @def $NETDEV = {{ firewall_interface }}; {% else %} @def $NETDEV = `ip route list | sed -r -n 's/^default\s+via\s+.*\s+dev\s+([a-z0-9]+).*$/\1/p'`; {% endif %} # Detecting list of bridge network interfaces @def $BRIDGES = `ip link show up | sed -r -n 's/^[0-9]+:\s+((xenbr|br|wg)[^:]+):\s+.*$/\1/p' | xargs`; # Default policies domain (ip ip6) { table filter { chain (INPUT FORWARD) policy DROP; chain OUTPUT policy ACCEPT; } } # Allow all on lo interface domain (ip ip6) table filter { chain INPUT interface lo ACCEPT; chain OUTPUT outerface lo ACCEPT; } # Allow ipv6 protocol specifics domain ip table filter chain (INPUT OUTPUT) protocol (ipv6 ipv6-icmp) ACCEPT; # Allow icmp-echo domain (ip ip6) table filter chain (INPUT OUTPUT) protocol icmp icmp-type echo-request ACCEPT; # Drop invalid packets domain (ip ip6) table filter chain INPUT mod state state INVALID DROP; # Established/related connections domain (ip ip6) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT; domain (ip ip6) { table filter { chain INPUT { # standard ports we allow from the outside @if @not(@eq(@length(NETDEV),0)) { interface ($NETDEV) { proto (udp tcp) dport ({{ firewall_public | join(' ') }}) ACCEPT; } } {% if firewall_private is defined %} {% for fwconf in firewall_private %} interface {{ fwconf.interface }}{% if fwconf.networks is defined %} saddr ({{ fwconf.networks | join(' ') }}){% endif %} { proto (udp tcp) dport ({{ fwconf.ports | join(' ') }}) ACCEPT; } {% endfor %} {% endif %} {% if not firewall_debug %}#{% endif %}LOG log-prefix "ferm INPUT REJECT: " log-level warning; REJECT; } {% if firewall_private is defined %} chain OUTPUT { {% for fwconf in firewall_private %} {% if fwconf.users is defined %} outerface {{ fwconf.interface }} { mod owner uid-owner ({{ fwconf.users | join(' ') }}) ACCEPT; {% if not firewall_debug %}#{% endif %}LOG log-prefix "ferm OUTPUT REJECT: " log-level warning; REJECT; } {% endif %} {% endfor %} } {% endif %} chain FORWARD { @if @not(@eq(@length(BRIDGES),0)) { interface ($BRIDGES) { ACCEPT; } } @else { {% if not firewall_debug %}#{% endif %}LOG log-prefix "ferm FORWARD REJECT: " log-level warning; REJECT; } } } }