123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107 |
- {% if ansible_prolog -%}
- {% from 'templates/ansible/prolog.j2' import prolog with context %}
- {{ prolog() }}
- {% endif -%}
- #
- # Configuration file for ferm(1).
- #
- @def $PORTS = ({{ firewall_public | join(' ') }}); # Services running worldwide
- table filter {
- chain INPUT {
- policy DROP;
- # connection tracking
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- # allow local packet
- interface lo ACCEPT;
- # respond to ping
- proto icmp icmp-type echo-request ACCEPT;
- # standard ports we allow from the outside
- proto (udp tcp) dport $PORTS ACCEPT;
- {% if firewall_private is defined %}
- # Private networks configuration
- {% for fwconf in firewall_private %}
- interface {{ fwconf.interface }}{% if fwconf.networks is defined %} saddr ({{ fwconf.networks | join(' ') }}){% endif %} {
- proto (udp tcp) dport ({{ fwconf.ports | join(' ') }}) ACCEPT;
- }
- {% endfor %}
- {% endif %}
- #LOG log-prefix "ferm INPUT REJECT: " log-level warning;
- }
- chain OUTPUT {
- policy ACCEPT;
- # connection tracking
- #mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- {% if firewall_private is defined %}
- {% for fwconf in firewall_private %}
- {% if fwconf.users is defined %}
- # Private networks configuration
- mod owner uid-owner ({{ fwconf.users | join(' ') }}) outerface {{ fwconf.interface }} ACCEPT;
- outerface {{ fwconf.interface }} DROP;
- {% endif %}
- {% endfor %}
- {% endif %}
- #LOG log-prefix "ferm OUTPUT REJECT: " log-level warning;
- }
- chain FORWARD {
- policy DROP;
- # connection tracking
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- #LOG log-prefix "ferm FORWARD REJECT: " log-level warning;
- }
- }
- domain ip6 table filter {
- chain INPUT {
- policy DROP;
- # connection tracking
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- # allow local packet
- interface lo ACCEPT;
- # allow ICMP (for neighbor solicitation, like ARP for IPv4)
- proto ipv6-icmp ACCEPT;
- # standard ports we allow from the outside
- proto (udp tcp) dport $PORTS ACCEPT;
- #LOG log-prefix "ferm (ip6) INPUT REJECT: " log-level warning;
- }
- chain OUTPUT {
- policy ACCEPT;
- # connection tracking
- #mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- #LOG log-prefix "ferm (ip6) OUTPUT REJECT: " log-level warning;
- }
- chain FORWARD {
- policy DROP;
- # connection tracking
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- #LOG log-prefix "ferm (ip6) FOWARD REJECT: " log-level warning;
- }
- }
|