ferm.conf.j2 2.4 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. #
  6. # Configuration file for ferm(1).
  7. #
  8. @def $PORTS = ({{ firewall_public | join(' ') }}); # Services running worldwide
  9. table filter {
  10. chain INPUT {
  11. policy DROP;
  12. # connection tracking
  13. mod state state INVALID DROP;
  14. mod state state (ESTABLISHED RELATED) ACCEPT;
  15. # allow local packet
  16. interface lo ACCEPT;
  17. # respond to ping
  18. proto icmp icmp-type echo-request ACCEPT;
  19. # standard ports we allow from the outside
  20. proto (udp tcp) dport $PORTS ACCEPT;
  21. {% if firewall_private is defined %}
  22. # Private networks configuration
  23. {% for fwconf in firewall_private %}
  24. interface {{ fwconf.interface }}{% if fwconf.networks is defined %} saddr ({{ fwconf.networks | join(' ') }}){% endif %} {
  25. proto (udp tcp) dport ({{ fwconf.ports | join(' ') }}) ACCEPT;
  26. }
  27. {% endfor %}
  28. {% endif %}
  29. }
  30. chain OUTPUT {
  31. policy ACCEPT;
  32. # connection tracking
  33. #mod state state INVALID DROP;
  34. mod state state (ESTABLISHED RELATED) ACCEPT;
  35. {% if firewall_private is defined %}
  36. {% for fwconf in firewall_private %}
  37. {% if fwconf.users is defined %}
  38. # Private networks configuration
  39. mod owner uid-owner ({{ fwconf.users | join(' ') }}) outerface {{ fwconf.interface }} ACCEPT;
  40. outerface {{ fwconf.interface }} DROP;
  41. {% endif %}
  42. {% endfor %}
  43. {% endif %}
  44. }
  45. chain FORWARD {
  46. policy DROP;
  47. # connection tracking
  48. mod state state INVALID DROP;
  49. mod state state (ESTABLISHED RELATED) ACCEPT;
  50. }
  51. }
  52. domain ip6 table filter {
  53. chain INPUT {
  54. policy DROP;
  55. # connection tracking
  56. mod state state INVALID DROP;
  57. mod state state (ESTABLISHED RELATED) ACCEPT;
  58. # allow local packet
  59. interface lo ACCEPT;
  60. # allow ICMP (for neighbor solicitation, like ARP for IPv4)
  61. proto ipv6-icmp ACCEPT;
  62. # standard ports we allow from the outside
  63. proto (udp tcp) dport $PORTS ACCEPT;
  64. }
  65. chain OUTPUT {
  66. policy ACCEPT;
  67. # connection tracking
  68. #mod state state INVALID DROP;
  69. mod state state (ESTABLISHED RELATED) ACCEPT;
  70. }
  71. chain FORWARD {
  72. policy DROP;
  73. # connection tracking
  74. mod state state INVALID DROP;
  75. mod state state (ESTABLISHED RELATED) ACCEPT;
  76. }
  77. }