ferm.conf.j2 2.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. #
  6. # Configuration file for ferm(1).
  7. #
  8. @def $PORTS = ({{ firewall_public | join(' ') }}); # Services running worldwide
  9. table filter {
  10. chain INPUT {
  11. policy DROP;
  12. # connection tracking
  13. mod state state INVALID DROP;
  14. mod state state (ESTABLISHED RELATED) ACCEPT;
  15. # allow local packet
  16. interface lo ACCEPT;
  17. # respond to ping
  18. proto icmp icmp-type echo-request ACCEPT;
  19. # standard ports we allow from the outside
  20. proto (udp tcp) dport $PORTS ACCEPT;
  21. {% if firewall_private is defined %}
  22. # Private networks configuration
  23. {% for fwconf in firewall_private %}
  24. interface {{ fwconf.interface }}{% if fwconf.networks is defined %} saddr ({{ fwconf.networks | join(' ') }}){% endif %} {
  25. proto (udp tcp) dport ({{ fwconf.ports | join(' ') }}) ACCEPT;
  26. }
  27. {% endfor %}
  28. {% endif %}
  29. #LOG log-prefix "ferm INPUT REJECT: " log-level warning;
  30. }
  31. chain OUTPUT {
  32. policy ACCEPT;
  33. # connection tracking
  34. #mod state state INVALID DROP;
  35. mod state state (ESTABLISHED RELATED) ACCEPT;
  36. {% if firewall_private is defined %}
  37. {% for fwconf in firewall_private %}
  38. {% if fwconf.users is defined %}
  39. # Private networks configuration
  40. mod owner uid-owner ({{ fwconf.users | join(' ') }}) outerface {{ fwconf.interface }} ACCEPT;
  41. outerface {{ fwconf.interface }} DROP;
  42. {% endif %}
  43. {% endfor %}
  44. {% endif %}
  45. #LOG log-prefix "ferm OUTPUT REJECT: " log-level warning;
  46. }
  47. chain FORWARD {
  48. policy DROP;
  49. # connection tracking
  50. mod state state INVALID DROP;
  51. mod state state (ESTABLISHED RELATED) ACCEPT;
  52. #LOG log-prefix "ferm FORWARD REJECT: " log-level warning;
  53. }
  54. }
  55. domain ip6 table filter {
  56. chain INPUT {
  57. policy DROP;
  58. # connection tracking
  59. mod state state INVALID DROP;
  60. mod state state (ESTABLISHED RELATED) ACCEPT;
  61. # allow local packet
  62. interface lo ACCEPT;
  63. # allow ICMP (for neighbor solicitation, like ARP for IPv4)
  64. proto ipv6-icmp ACCEPT;
  65. # standard ports we allow from the outside
  66. proto (udp tcp) dport $PORTS ACCEPT;
  67. #LOG log-prefix "ferm (ip6) INPUT REJECT: " log-level warning;
  68. }
  69. chain OUTPUT {
  70. policy ACCEPT;
  71. # connection tracking
  72. #mod state state INVALID DROP;
  73. mod state state (ESTABLISHED RELATED) ACCEPT;
  74. #LOG log-prefix "ferm (ip6) OUTPUT REJECT: " log-level warning;
  75. }
  76. chain FORWARD {
  77. policy DROP;
  78. # connection tracking
  79. mod state state INVALID DROP;
  80. mod state state (ESTABLISHED RELATED) ACCEPT;
  81. #LOG log-prefix "ferm (ip6) FOWARD REJECT: " log-level warning;
  82. }
  83. }