kolter
/
ansible-playbooks


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
							{% if ansible_prolog -%}
{% from 'templates/ansible/prolog.j2' import prolog with context %}
{{ prolog() }}
{% endif -%}
#
#  Configuration file for ferm(1).
#

@def $PORTS = ({{ firewall_public | join(' ') }}); # Services running worldwide

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;

        # respond to ping
        proto icmp icmp-type echo-request ACCEPT;

        # standard ports we allow from the outside
        proto (udp tcp) dport $PORTS ACCEPT;
{% if firewall_private is defined %}
        # Private networks configuration
{% for fwconf in firewall_private %}
        interface {{ fwconf.interface }}{% if fwconf.networks is defined %} saddr ({{ fwconf.networks | join(' ') }}){% endif %} {
            proto (udp tcp) dport ({{ fwconf.ports | join(' ') }}) ACCEPT;
        }
{% endfor %}
{% endif %}
        #LOG log-prefix "ferm INPUT REJECT: " log-level warning;
    }

    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
{% if firewall_private is defined %}
{% for fwconf in firewall_private %}
{% if fwconf.users is defined %}

        # Private networks configuration
        mod owner uid-owner ({{ fwconf.users | join(' ') }}) outerface {{ fwconf.interface }} ACCEPT;
        outerface {{ fwconf.interface }} DROP;
{% endif %}
{% endfor %}
{% endif %}
        #LOG log-prefix "ferm OUTPUT REJECT: " log-level warning;
    }

    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        #LOG log-prefix "ferm FORWARD REJECT: " log-level warning;
    }
}

domain ip6 table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;

        # allow ICMP (for neighbor solicitation, like ARP for IPv4)
        proto ipv6-icmp ACCEPT;

        # standard ports we allow from the outside
        proto (udp tcp) dport $PORTS ACCEPT;

        #LOG log-prefix "ferm (ip6) INPUT REJECT: " log-level warning;
    }

    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        #LOG log-prefix "ferm (ip6) OUTPUT REJECT: " log-level warning;
    }

    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        #LOG log-prefix "ferm (ip6) FOWARD REJECT: " log-level warning;
    }
}