Add ipt-server role with firewall configuration and management

- Created handlers for reloading systemd and restarting firewall services. - Implemented tasks to ensure the existence of configuration directories and files. - Deployed host-specific and shared configuration files using templates. - Added scripts for managing IPv4 and IPv6 firewalls. - Configured systemd service units for ipt-firewall and ip6t-firewall. - Enabled and started firewall services on system boot.
2026-06-26 19:30:01 +02:00
parent 0158e3738f
commit 9798ca9cd6
24 changed files with 10019 additions and 0 deletions
@@ -0,0 +1,199 @@
+# ipt-server — Migrationsleitfaden
+
+Dieser Leitfaden beschreibt, wie ein bestehender Host vom alten Verfahren
+(manuell verwaltete `/etc/ipt-firewall/`-Dateien, ggf. `firewall`- oder
+`modify-ipt-server`-Rolle) auf die neue `ipt-server`-Ansible-Rolle umgestellt
+wird.
+
+---
+
+## Überblick
+
+Das alte Verfahren:
+- Firewall-Skripte und Conf-Dateien wurden manuell oder über die alte `firewall`-Rolle
+  (lineinfile/blockinfile) gepflegt.
+- Änderungen direkt in `/etc/ipt-firewall/` auf dem Host.
+
+Das neue Verfahren:
+- Alle Firewall-Einstellungen liegen in `host_vars/<hostname>/ipt_firewall.yml`.
+- Ansible deployt die Config-Dateien aus Jinja2-Templates.
+- Direktes Editieren auf dem Host ist nicht mehr vorgesehen.
+
+Die Migration ist **nicht-destruktiv**: Bestehende Config-Dateien werden erst
+dann überschrieben, wenn die Migration explizit freigegeben wird (`fw_manage_config: true`).
+
+---
+
+## Schritt 1 — Aktuelle Konfiguration auslesen
+
+Das Skript `extract-fw-host-vars.py` liest die vier Conf-Dateien vom Host via SSH,
+mappt alle Variablen auf die `fw_*`-Ansible-Variablen und schreibt eine fertige
+`host_vars`-Datei:
+
+```bash
+cd /path/to/ansible/oopen-server
+
+./extract-fw-host-vars.py <hostname> --sudo \
+  -o host_vars/<hostname>/ipt_firewall.yml
+```
+
+Das Skript fragt einmalig nach dem `sudo`-Passwort.
+
+**Ergebnis prüfen:**
+
+```bash
+cat host_vars/<hostname>/ipt_firewall.yml
+```
+
+Kontrollpunkte:
+- Sind `fw_ext_interfaces`, `fw_ext_ips_v4`, `fw_ext_ips_v6` korrekt?
+- Sind aktivierte Dienste (Mail, HTTP, VPN usw.) vorhanden?
+- Sind `munin_remote_ipv4` / `munin_remote_ipv6` eingetragen (falls Munin läuft)?
+
+Fehlende oder falsche Werte können direkt in der YAML-Datei korrigiert werden.
+Alle Variablen und ihre Bedeutung stehen in `defaults/main.yml`.
+
+---
+
+## Schritt 2 — Erste Ausrollung (Safety-Guard aktiv)
+
+Solange `fw_manage_config` nicht auf `true` gesetzt ist (Default: `false`),
+überschreibt Ansible **keine** bestehenden Config-Dateien. Es werden nur
+installiert:
+- Firewall-Skripte → `/usr/local/sbin/`
+- Geteilte Conf-Dateien → `/etc/ipt-firewall/`
+- Systemd-Units → `/etc/systemd/system/`
+
+```bash
+# Vorschau:
+ansible-playbook ipt-server.yml --limit <hostname> --check --diff
+
+# Ausrollen:
+ansible-playbook ipt-server.yml --limit <hostname>
+```
+
+Die Firewall wird dabei **nicht neu gestartet** — die bestehenden Config-Dateien
+bleiben unangetastet.
+
+---
+
+## Schritt 3 — Verifizieren: sind die Rules identisch?
+
+Dieser Schritt prüft, ob ein Neustart der Firewall mit den neuen Skripten und
+den bestehenden Config-Dateien exakt dieselben iptables-Rules erzeugt wie aktuell
+geladen.
+
+```bash
+ssh <hostname> '
+  # Aktuellen Stand einfrieren (Timestamps und Zähler normalisieren)
+  iptables-save  | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
+    > /tmp/fw_before_v4.rules
+  ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
+    > /tmp/fw_before_v6.rules
+
+  # Firewall neu starten
+  systemctl restart ipt-firewall
+  systemctl restart ip6t-firewall
+
+  # Neuen Stand einfrieren
+  iptables-save  | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
+    > /tmp/fw_after_v4.rules
+  ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
+    > /tmp/fw_after_v6.rules
+
+  # Vergleichen
+  echo "=== IPv4 diff ==="
+  diff /tmp/fw_before_v4.rules /tmp/fw_after_v4.rules
+  echo "=== IPv6 diff ==="
+  diff /tmp/fw_before_v6.rules /tmp/fw_after_v6.rules
+'
+```
+
+**Erwartetes Ergebnis:** Beide Diffs sind leer.
+
+Falls Unterschiede erscheinen: die abweichenden Rules identifizieren, die
+entsprechenden Variablen in `host_vars/<hostname>/ipt_firewall.yml` nachpflegen
+und den Diff wiederholen bevor weitergemacht wird.
+
+---
+
+## Schritt 4 — Ansible als autoritative Quelle freischalten
+
+Erst wenn Schritt 3 erfolgreich war (leere Diffs), wird die Migration abgeschlossen.
+Dazu `fw_manage_config: true` in der host_vars-Datei setzen:
+
+```yaml
+# host_vars/<hostname>/ipt_firewall.yml
+---
+fw_manage_config: true   # ← hinzufügen / auf true setzen
+
+fw_ext_interfaces:
+  - "eth0"
+# ...
+```
+
+Dann erneut ausrollen:
+
+```bash
+# Vorschau — zeigt jetzt auch die Config-Dateien im Diff:
+ansible-playbook ipt-server.yml --limit <hostname> --check --diff
+
+# Anwenden:
+ansible-playbook ipt-server.yml --limit <hostname>
+```
+
+Ab jetzt:
+- Ansible überschreibt die vier Config-Dateien bei jedem Run aus den Templates.
+- Bei Änderungen an Templates oder host_vars wird die Firewall automatisch
+  neu gestartet.
+- Direktes Editieren von `/etc/ipt-firewall/interfaces_*.conf` oder `main_*.conf`
+  auf dem Host wird beim nächsten Ansible-Run überschrieben.
+
+---
+
+## Schritt 5 — Altes System deaktivieren
+
+### Altes Ansible-Vorgehen abschalten
+
+Sicherstellen, dass der Host nicht mehr durch die alte `firewall`-Rolle oder
+`modify-ipt-server`-Rolle verwaltet wird. Falls der Host in einem Playbook
+eingetragen ist, das diese Rollen verwendet, den Host dort entfernen oder das
+Playbook anpassen.
+
+### Altes git-Repository auf dem Host entfernen (optional)
+
+Das Repository `/usr/local/src/ipt-server` wird von der neuen Rolle nicht mehr
+benötigt. Es kann entfernt werden:
+
+```bash
+ssh <hostname> 'rm -rf /usr/local/src/ipt-server'
+```
+
+Vorher prüfen, ob das Verzeichnis noch anderweitig verwendet wird.
+
+### Sicherstellen, dass niemand mehr direkt editiert
+
+Da `fw_manage_config: true` gesetzt ist, werden direkte Änderungen in
+`/etc/ipt-firewall/` beim nächsten Ansible-Run überschrieben. Als zusätzliche
+Absicherung kann eine kurze Warnung oben in die Config-Dateien geschrieben
+werden — das erledigt Ansible automatisch über den `{{ ansible_managed }}`-Kommentar
+am Anfang jedes generierten Templates:
+
+```bash
+# Ansible managed
+# DO NOT EDIT - changes will be overwritten on the next Ansible run.
+# Edit host_vars/<hostname>/ipt_firewall.yml instead.
+```
+
+---
+
+## Zusammenfassung
+
+| Schritt | Befehl / Aktion | Wann |
+|---|---|---|
+| 1 | `extract-fw-host-vars.py` ausführen | Einmalig pro Host |
+| 2 | `ansible-playbook ... --check --diff` + ausrollen | Einmalig pro Host |
+| 3 | iptables-Rules vergleichen (vor/nach Restart) | Einmalig pro Host |
+| 4 | `fw_manage_config: true` setzen + ausrollen | Einmalig pro Host |
+| 5 | Alte Rolle deaktivieren, git-Repo auf Host entfernen | Einmalig pro Host |
+| — | Änderungen: host_vars editieren + `ansible-playbook` | Ab jetzt immer so |
@@ -0,0 +1,204 @@
+# ipt-server — Ansible Role
+
+Verwaltet die iptables/ip6tables-basierte Firewall (`ipt-firewall-server` /
+`ip6t-firewall-server`) auf Debian-Hosts.
+
+Die Rolle ist die **einzige** autorisierte Stelle für Firewall-Änderungen. Direkte
+Edits in `/etc/ipt-firewall/` auf dem Host werden beim nächsten Ansible-Run
+überschrieben, sobald `fw_manage_config: true` gesetzt ist.
+
+---
+
+## Verzeichnisstruktur
+
+```
+roles/ipt-server/
+├── defaults/main.yml          # Alle Variablen mit Defaults
+├── files/
+│   ├── etc/ipt-firewall/      # Geteilte Conf-Dateien (nicht host-spezifisch)
+│   │   ├── default_settings.conf
+│   │   ├── include_functions.conf
+│   │   ├── logging_ipv4.conf
+│   │   ├── logging_ipv6.conf
+│   │   ├── post_declarations.conf
+│   │   ├── ban_ipv4.list.sample
+│   │   └── ban_ipv6.list.sample
+│   ├── etc/systemd/system/
+│   │   ├── ipt-firewall.service
+│   │   └── ip6t-firewall.service
+│   └── usr/local/sbin/
+│       ├── ipt-firewall-server    # IPv4-Firewall-Skript
+│       └── ip6t-firewall-server   # IPv6-Firewall-Skript
+├── handlers/main.yml
+├── tasks/main.yml
+└── templates/
+    └── etc/ipt-firewall/
+        ├── interfaces_ipv4.conf.j2   # Host-spezifisch: Interfaces + IPs
+        ├── interfaces_ipv6.conf.j2
+        ├── main_ipv4.conf.j2         # Host-spezifisch: Dienste, Regeln
+        └── main_ipv6.conf.j2
+```
+
+Host-spezifische Konfiguration liegt ausschließlich in:
+
+```
+host_vars/<hostname>/ipt_firewall.yml
+```
+
+---
+
+## Neuen Host aufnehmen
+
+### Voraussetzungen
+
+- Host ist im Ansible-Inventory (`hosts`) eingetragen.
+- SSH-Zugang mit `sudo`-Rechten ist vorhanden.
+- `git` ist auf dem Host installiert (wird für keinen anderen Zweck gebraucht —
+  die Rolle selbst benötigt kein git auf dem Host).
+
+### Schritt 1 — host_vars anlegen
+
+```bash
+cd /path/to/ansible/oopen-server
+
+# Interfaces und IPs von Hand in die Datei eintragen:
+mkdir -p host_vars/<hostname>
+cat > host_vars/<hostname>/ipt_firewall.yml << 'EOF'
+---
+fw_manage_config: true
+
+# --- Netzwerk
+fw_ext_interfaces:
+  - "eth0"
+fw_ext_ips_v4:
+  - "1.2.3.4"
+fw_ext_ips_v6:
+  - "2001:db8::1"
+EOF
+```
+
+Alle weiteren Variablen sind optional — sie greifen auf die Defaults in
+`defaults/main.yml` zurück. Nur abweichende Werte müssen gesetzt werden.
+
+Für eine vollständige Variablenreferenz: `defaults/main.yml`.
+
+### Schritt 2 — Dry-run
+
+```bash
+ansible-playbook ipt-server.yml --limit <hostname> --check --diff
+```
+
+Der Diff zeigt genau, welche Dateien angelegt und welche Config-Werte gesetzt
+werden. Prüfen, ob Interfaces, IPs und Dienste stimmen.
+
+### Schritt 3 — Scharf stellen
+
+```bash
+ansible-playbook ipt-server.yml --limit <hostname>
+```
+
+Was passiert:
+- Firewall-Skripte werden nach `/usr/local/sbin/` kopiert.
+- Geteilte Conf-Dateien werden nach `/etc/ipt-firewall/` kopiert.
+- Systemd-Units werden installiert, Dienste werden aktiviert und gestartet.
+- Config-Dateien (`interfaces_*.conf`, `main_*.conf`) werden aus den Templates
+  erzeugt und die Firewall wird gestartet.
+
+---
+
+## Konfiguration ändern
+
+Alle Änderungen erfolgen ausschließlich in der host_vars-Datei des Hosts:
+
+```
+host_vars/<hostname>/ipt_firewall.yml
+```
+
+Danach:
+
+```bash
+# Vorschau:
+ansible-playbook ipt-server.yml --limit <hostname> --check --diff
+
+# Anwenden (ändert Config, startet Firewall bei Änderungen neu):
+ansible-playbook ipt-server.yml --limit <hostname>
+```
+
+Ansible erkennt automatisch, ob sich eine Config-Datei geändert hat. Nur bei
+tatsächlichen Änderungen wird die Firewall neu gestartet.
+
+### Beispiel: HTTP-Server aktivieren
+
+```yaml
+# host_vars/<hostname>/ipt_firewall.yml
+fw_http_server_ips: "$ext_ips"   # oder konkrete IP
+```
+
+### Beispiel: SSH auf bestimmten Port einschränken
+
+```yaml
+fw_ssh_ports: "2222"
+```
+
+### Beispiel: LXC-Gäste eintragen
+
+```yaml
+fw_lxc_guest_ips_v4:
+  - "10.0.3.10"
+  - "10.0.3.11"
+fw_lxc_guest_ips_v6:
+  - "fd00::10"
+  - "fd00::11"
+```
+
+---
+
+## Firewall-Skripte aktualisieren
+
+Wenn `ipt-firewall-server` oder `ip6t-firewall-server` im `ipt-server`-Repository
+aktualisiert werden, müssen die neuen Versionen manuell in die Rolle übernommen
+werden:
+
+```bash
+SRC=/path/to/ipt-server
+DST=roles/ipt-server/files/usr/local/sbin
+
+cp $SRC/ipt-firewall-server  $DST/
+cp $SRC/ip6t-firewall-server $DST/
+chmod 750 $DST/ipt-firewall-server $DST/ip6t-firewall-server
+```
+
+Ebenso für geteilte Conf-Dateien in `roles/ipt-server/files/etc/ipt-firewall/`.
+
+Nach dem Commit werden die neuen Skripte beim nächsten Ansible-Run auf alle
+Hosts deployed.
+
+---
+
+## Wichtige Variablen
+
+| Variable | Default | Bedeutung |
+|---|---|---|
+| `fw_manage_config` | `false` | `true` = Ansible verwaltet Config-Dateien vollständig |
+| `fw_ext_interfaces` | `[]` | Externe Netzwerk-Interfaces, z.B. `["eth0"]` |
+| `fw_ext_ips_v4` | `[]` | Externe IPv4-Adressen |
+| `fw_ext_ips_v6` | `[]` | Externe IPv6-Adressen |
+| `fw_ssh_server_ips` | `"$ext_ips"` | IPs auf denen SSH erlaubt ist |
+| `fw_ssh_ports` | `"$standard_ssh_port"` | SSH-Port(s) |
+| `fw_http_server_ips` | `""` | IPs auf denen HTTP/HTTPS erlaubt ist |
+| `munin_remote_ipv4` | `""` | Munin-Server IPv4 |
+| `munin_remote_ipv6` | `""` | Munin-Server IPv6 |
+
+Alle Variablen mit Beschreibung und Defaults: `defaults/main.yml`.
+
+Variablen die mit `$` beginnen (z.B. `$ext_ips`, `$standard_ssh_port`) sind
+Bash-Variablen — sie werden nicht von Ansible aufgelöst, sondern zur Laufzeit
+vom Firewall-Skript expandiert.
+
+---
+
+## Ban-Listen
+
+`/etc/ipt-firewall/ban_ipv4.list` und `ban_ipv6.list` werden beim ersten
+Ausrollen aus den Beispiel-Dateien der Rolle erzeugt und danach **nicht mehr
+durch Ansible angefasst** — sie können auf dem Host direkt bearbeitet werden.
@@ -0,0 +1,376 @@
+---
+
+# ---
+# ipt-firewall role defaults
+# Override per host in host_vars/<hostname>/ipt_firewall.yml
+# ---
+
+
+# ---
+# Config management mode.
+# false (default): config files are only deployed when absent (safe for unmanaged hosts).
+# true: Ansible is authoritative — config is always written from templates and
+#       the firewall is restarted on any change. Set this after migrating a host.
+# ---
+
+fw_manage_config: false
+
+
+# ---
+# Network interfaces and addresses  (set per host in host_vars)
+# ---
+
+fw_ext_interfaces: []       # e.g. ["eth0"]
+fw_ext_ips_v4: []           # e.g. ["83.223.86.98"]
+fw_ext_ips_v6: []           # e.g. ["2a01:30:0:13:211:84ff:feb7:7f9c"]
+fw_local_interfaces: []
+fw_local_ips_v4: []
+fw_local_ips_v6: []
+fw_vpn_ifs: "tun+"
+fw_wg_ifs: "wg+"
+fw_lxc_guest_ips_v4: []
+fw_lxc_guest_ips_v6: []
+fw_nat_devices: ""
+
+
+# ---
+# Munin monitoring  (often set in group_vars or role defaults)
+# ---
+
+munin_remote_ipv4: ""
+munin_remote_ipv6: ""
+
+
+# ---
+# Bridged / LXC traffic
+# ---
+
+fw_do_not_firewall_bridged_traffic: false
+fw_do_not_firewall_lx_guest_systems: false
+
+
+# ---
+# Drop policies
+# ---
+
+fw_drop_icmp: false
+fw_drop_mndp: true
+fw_drop_mdns: true
+
+
+# ---
+# Outgoing / interface policy
+# ---
+
+fw_allow_all_outgoing_traffic: false
+fw_blocked_ifs: ""
+fw_unprotected_ifs: ""
+
+
+# ---
+# Forwarding (protocol-specific addresses)
+# ---
+
+fw_forward_private_ips_v4: ""
+fw_forward_private_ips_v6: ""
+
+
+# ---
+# Access control  (protocol-specific: IPv4 uses ':', IPv6 uses ',')
+# ---
+
+fw_restrict_local_service_to_net_v4: ""
+fw_restrict_local_service_to_net_v6: ""
+fw_restrict_local_net_to_net_v4: ""
+fw_restrict_local_net_to_net_v6: ""
+fw_allow_ext_service_v4: ""
+fw_allow_ext_service_v6: ""
+fw_allow_ext_net_v4: ""
+fw_allow_ext_net_v6: ""
+fw_allow_local_service_v4: ""
+fw_allow_local_service_v6: ""
+fw_allow_local_service_from_networks_v4: ""
+fw_allow_local_service_from_networks_v6: ""
+
+
+# ---
+# Services: VPN / WireGuard
+# ---
+
+fw_vpn_server_ips: ""
+fw_forward_vpn_server_ips: ""
+fw_vpn_ports: "$standard_vpn_port"
+fw_wireguard_server_ips: ""
+fw_forward_wireguard_server_ips: ""
+fw_wireguard_server_ports: "$standard_wireguard_port"
+fw_wireguard_out_ports: "$standard_wireguard_port"
+
+
+# ---
+# Services: NTP
+# ---
+
+fw_local_ntp_service: false
+fw_ntp_port: "$standard_ntp_port"
+fw_ntp_allowed_net: ""
+
+
+# ---
+# Services: DHCP (IPv4 only)
+# ---
+
+fw_dhcp_server_ifs: ""
+fw_dhcp_client_ifs: ""
+
+
+# ---
+# Services: DNS
+# ---
+
+fw_dns_server_ips: ""
+fw_forward_dns_server_ips: ""
+fw_local_resolver_service: false
+fw_resolver_port: "$standard_dns_port"
+fw_resolver_allowed_networks_v4: ""
+fw_resolver_allowed_networks_v6: ""
+
+
+# ---
+# Services: SSH
+# Uses $ext_ips by default so SSH is always reachable via all external IPs.
+# Override in host_vars to restrict to specific IPs.
+# ---
+
+fw_ssh_server_ips: "$ext_ips"
+fw_forward_ssh_server_ips: ""
+fw_ssh_ports: "$standard_ssh_port"
+
+
+# ---
+# Services: HTTP(S)
+# ---
+
+fw_http_server_ips: ""
+fw_forward_http_server_ips: ""
+fw_http_ports: "$standard_http_ports"
+fw_log_cgi_traffic_out: false
+fw_cgi_script_users: ""
+
+
+# ---
+# Services: Mattermost
+# ---
+
+fw_mm_server_ips: ""
+fw_forward_mm_server_ips: ""
+fw_mm_udp_ports_in: "$stansard_mattermost_udp_ports_in"
+fw_mm_udp_ports_out: "$stansard_mattermost_udp_ports_out"
+
+
+# ---
+# Services: Mail
+# ---
+
+fw_smtpd_ips: ""
+fw_forward_smtpd_ips: ""
+fw_smtpd_additional_listen_ports: ""
+fw_smtpd_additional_outgoing_ports: ""
+fw_mail_server_ips: ""
+fw_forward_mail_server_ips: ""
+fw_mail_user_ports: "$standard_mailuser_ports"
+fw_mail_client_ips: ""
+fw_forward_mail_client_ips: ""
+fw_dovecot_auth_service: false
+fw_dovecot_auth_port: "$dovecot_external_auth_port"
+fw_dovecot_auth_allowed_networks_v4: ""
+fw_dovecot_auth_allowed_networks_v6: ""
+
+
+# ---
+# Services: FTP
+# ---
+
+fw_ftp_server_ips: ""
+fw_forward_ftp_server_ips: ""
+fw_ftp_passive_port_range: "50000:50400"
+
+
+# ---
+# Services: XMPP (Jabber / Prosody)
+# ---
+
+fw_xmpp_server_ips: ""
+fw_forward_xmpp_server_ips: ""
+fw_xmmp_tcp_in_ports: "5222 5223 5269"
+fw_xmmp_tcp_out_ports: "5269"
+fw_xmmp_remote_out_services_v4: ""
+fw_xmmp_remote_out_services_v6: ""
+
+
+# ---
+# Services: Mumble
+# ---
+
+fw_mumble_server_ips: ""
+fw_forward_mumble_server_ips: ""
+fw_mumble_ports: "$standard_mumble_port"
+
+
+# ---
+# Services: Jitsi / Jibri
+# ---
+
+fw_jitsi_server_ips: ""
+fw_forward_jitsi_server_ips: ""
+fw_jitsi_tcp_ports: "$standard_jitsi_tcp_ports"
+fw_jitsi_udp_port_range: "$standard_jitsi_udp_port_range"
+fw_jitsi_tcp_ports_out: "$standard_turn_service_ports,4443,4444,4445,4446"
+fw_jitsi_udp_ports_out: "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"
+fw_jitsi_dovecot_auth: false
+fw_jitsi_dovecot_host: ""
+fw_jitsi_dovecot_port: "$default_jitsi_dovecout_auth_port"
+fw_jitsi_jibri_remote_auth: false
+fw_jitsi_jibri_remote_ips: ""
+fw_jitsi_jibri_remote_auth_port: "$default_jibri_out_port"
+fw_jibri_server_ips: ""
+fw_forward_jibri_server_ips: ""
+fw_jibri_remote_jitsi_server: ""
+fw_jibri_remote_auth_port: "$default_jibri_out_port"
+
+
+# ---
+# Services: TURN / STUN (Nextcloud Talk)
+# ---
+
+fw_nc_turn_server_ips: ""
+fw_forward_nc_turn_server_ips: ""
+fw_nc_turn_ports: "$standard_turn_service_ports"
+fw_nc_turn_udp_ports: "$standard_turn_service_udp_ports"
+
+
+# ---
+# Services: TFTP
+# ---
+
+fw_tftp_server_ips: ""
+
+
+# ---
+# Services: Prometheus
+# ---
+
+fw_prometheus_local_server_ips: ""
+fw_prometheus_remote_client_ports: "$standard_prometheus_ports"
+fw_prometheus_local_client_ips: ""
+fw_prometheus_local_client_ports: "$standard_prometheus_ports"
+fw_prometheus_remote_server_ips: ""
+
+
+# ---
+# Services: Munin
+# ---
+
+fw_munin_server_ips: ""
+fw_forward_munin_server_ips: ""
+fw_munin_remote_port: "$standard_munin_port"
+fw_munin_local_port: "4949"
+
+
+# ---
+# Services: Xymon
+# ---
+
+fw_xymon_server_ips: ""
+fw_local_xymon_client: false
+fw_xymon_port: "$standard_xymon_port"
+
+
+# ---
+# Protocols out: Rsync
+# ---
+
+fw_rsync_out_ips: ""
+fw_forward_rsync_out_ips: ""
+fw_rsync_ports: "873"
+
+
+# ---
+# Special ports (OUT)
+# ---
+
+fw_tcp_out_ports: ""
+fw_forward_tcp_out_ports: ""
+fw_udp_out_ports: ""
+fw_forward_udp_out_ports: ""
+
+
+# ---
+# Portforwarding (protocol-specific formats)
+# IPv4: "<device>:<src-ip>:<port-in>:<ip-fwd>:<port-out>"
+# IPv6: "<device>,<src-ip>,<port-in>,<ip-fwd>,<port-out>"
+# ---
+
+fw_portforward_tcp_v4: ""
+fw_portforward_udp_v4: ""
+fw_portforward_tcp_v6: ""
+fw_portforward_udp_v6: ""
+
+
+# ---
+# Blocked IPs / ports
+# ---
+
+fw_blocked_ips: ""
+fw_block_tcp_ports: "111 113 135 137:139 445"
+fw_block_udp_ports: "111 137:139"
+
+
+# ---
+# Special / counters
+# ---
+
+fw_create_traffic_counter: true
+fw_create_iperf_rules: true
+
+
+# ---
+# Protection
+# ---
+
+fw_protection_against_syn_flooding: true
+fw_protection_against_port_scanning: true
+fw_protection_against_ssh_brute_force_attacks: true
+
+
+# ---
+# Connection limits
+# ---
+
+fw_limit_connections_per_source_IP: true
+fw_per_IP_connection_limit: "$default_per_IP_connection_limit"
+fw_limit_new_tcp_connections_per_seconds_per_source_IP: true
+fw_limit_new_tcp_connections_per_seconds_ports: ""
+
+
+# ---
+# Kernel parameters — IPv4
+# ---
+
+fw_kernel_activate_forwarding: false
+fw_kernel_support_dynaddr: false
+fw_dynaddr_flag: "5"
+fw_kernel_reduce_timeouts: true
+fw_kernel_tcp_syncookies: true
+fw_kernel_protect_against_icmp_bogus_messages: true
+fw_kernel_ignore_broadcast_ping: true
+fw_kernel_deactivate_source_route: true
+fw_kernel_dont_accept_redirects: true
+fw_kernel_activate_rp_filter: true
+fw_kernel_log_martians: false
+
+
+# ---
+# Kernel parameters — IPv6
+# ---
+
+fw_kernel_forward_between_interfaces: false
@@ -0,0 +1,36 @@
+# - IPv4 addresses listet here will be completly banned by the firewall
+# -
+# -    - Line beginning with '#' will be ignored.
+# -    - Blank lines will be ignored
+# -    - Only the first entry (until space sign or end of line) of each line will be considered.
+# -
+# - Valid values are:
+# -    complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
+# -    partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
+# -    network/nn CIDR notation like 1.2.3.0/27
+# -    network/netmask notaions like 1.2.3.0/255.255.255.0
+# -    network/partial_netmask  like 1.2.3.4/255
+# -
+# - Note: 
+# -    - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
+# -
+# - Example:
+# -    79.171.81.0/24
+# -    79.171.81.0/255.255.255.0
+# -    79.171.81.0/255.255.255
+# -    79.171.81
+
+# CHINANET-JS
+222.184.0.0/13 
+61.160.0.0/16
+
+# CHINANET-GX
+116.8.0.0/14
+
+# BAIDU-HK - Hong Kong
+103.235.44.0/22
+# UNICOM-HE - China Unicom Hebei province network
+110.240.0.0/12
+# CMNET - China Mobile Communications Corporation
+39.128.0.0/10
+
@@ -0,0 +1,20 @@
+# - IPv6 addresses listet here will be completly banned by the firewall
+# -
+# -    - Line beginning with '#' will be ignored.
+# -    - Blank lines will be ignored
+# -    - Only the first entry (until space sign or end of line) of each line will be considered.
+# -
+# - Valid values are:
+# -    complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
+# -    network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
+# -
+# -
+# - Note: 
+# -    - If no mask is given mask will be set to '64'
+# -    - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
+# -
+# - Example:
+# -    240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
+# -    2a01:30:0:13:5054:ff::1
+# -    2a01:30:0:13:5054:ff::1/56
+
@@ -0,0 +1,157 @@
+#!/usr/bin/env bash
+
+# -------------
+# --- Default Parameter / Options
+# -------------
+
+default_per_IP_connection_limit=111
+
+
+# -------------
+# --- Default Ports for Services out
+# -------------
+
+standard_checkmk_port=6556
+standard_cpan_wait_port=1404
+standard_dns_port=53
+standard_ftp_port=21
+standard_ftp_data_port=20
+standard_git_port=9418
+standard_hbci_port=3000
+standard_http_port=80
+standard_https_port=443
+standard_ident_port=113
+standard_ipp_port=631
+standard_cups_port=$standard_ipp_port
+standard_irc_port=6667
+standard_jabber_port=5222
+standard_ldap_port=389
+standard_ldaps_port=636
+standard_mdns_port=5353
+standard_mndp_port=5678
+standard_mumble_port=64738
+standard_munin_port=4949
+standard_mysql_port=3306
+standard_ntp_port=123
+standard_pgp_keyserver_port=11371
+standard_print_port=9100
+standard_print_raw_port=515
+standard_remote_console_port=5900
+standard_silc_port=706
+standard_smtp_port=25
+standard_snmp_port=161
+standard_snmp_trap_port=162
+standard_ssh_port=22
+standard_telnet_port=23
+standard_tftp_udp_port=69
+standard_timeserver_port=37
+standard_vpn_port=1194
+standard_wireguard_port=51820
+standard_whois_port=43
+standard_xymon_port=1984
+
+# - Prometheus services
+# -
+standard_prometheus_ports="9100,9256"
+
+# - Mattermost (MM) Service
+# -
+stansard_mattermost_udp_ports_in="8443"
+stansard_mattermost_udp_ports_out="3478"
+
+# - IPsec - Internet Security Association and
+# -  Key Management Protocol
+standard_isakmp_port=500
+standard_ipsec_nat_t=4500
+
+
+# - Comma separated lists
+# -
+standard_http_ports="80,443"
+standard_mailuser_ports="587,465,110,995,143,993"
+
+# - Dovecot Service
+# -
+dovecot_external_auth_port="44444"
+
+# - Jitsi Video Conference Service
+# -
+standard_jitsi_tcp_ports="$standard_http_ports"
+standard_jitsi_udp_port_range="10000:20000"
+default_jitsi_dovecout_auth_port="$dovecot_external_auth_port"
+
+# - Jibri Service
+# -
+default_jibri_out_port=5222
+# default_outbound_streaming_tcp_ports
+#
+#    - outbound port 1935/TCP : outbound streaming over RTMP to most 
+#      streaming providers such as YouTube Live, Vimeo or Twitch
+#
+#    - outbound port 1936/TCP  : outbound streaming over RTMP to LinkedIn 
+#      Live (port 1935 is also used for RTMP streaming to LinkedIn)
+#
+#    - outbound ports 2935/TCP and 2396/TCP : outbound streaming over 
+#      RTMPS to LinkedIn Live
+#
+#    - outbound port 443/TCP (HTTPS) : used for authentication with the 
+#      built-in providers such as YouTube Live, Facebook Live, Ustream, 
+#      Livestream, and Twitch
+#
+#    - outbound port 53/UDP (DNS) used for DNS lookups converting 
+#      hostnames to IP addresses
+#
+default_outbound_streaming_tcp_ports="1935,1936,2935,2396"
+
+
+# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
+# -
+standard_turn_service_ports="3478:3479,5349:5350"
+standard_turn_service_udp_ports="49152:65535"
+
+
+# -------------
+# --- Predefined Ports
+# -------------
+
+# - unpriviligierte Ports
+# -
+unprivports="1024:65535"
+
+
+# -------------
+# --- Some IPv4-Address Configuration
+# -------------
+
+# - Loopback
+loopback_ipv4="127.0.0.0/8"
+
+# - Private Networks
+priv_class_a="10.0.0.0/8"
+priv_class_b="172.16.0.0/12"
+priv_class_c="192.168.0.0/16"
+
+link_local_rfc_5735="169.254.0.0/16"
+
+test_net_1_rfc_5735="192.0.2.0/24"
+this_net_rfc_5735="0.0.0.0/8"
+
+# - Multicast Addresse
+class_d_multicast="224.0.0.0/3"
+
+# Reserved Addresse
+class_e_reserved="240.0.0.0/5"
+
+
+# -------------
+# --- Some IPv6-Address Configuration
+# -------------
+
+# unique local address (ULA) - private address block
+ula_block="fc00::/7"
+link_local_unicast_block="fe80::/10"
+multicast_ipv6="ff00::/8"
+
+# - Loopback
+loopback_ipv6="::1/128"
+
@@ -0,0 +1,268 @@
+#!/usr/bin/env bash
+
+# - Set firewall command (either iptables or ip6tables)
+#
+if [[ -x "${ip6t}" ]] ; then
+   fw_command="${ip6t}"
+elif [[ -x "${ipt}" ]] ; then
+   fw_command="${ipt}"
+fi 
+
+# -------------
+# --- Some functions
+# -------------
+
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+echo_done() {
+   echo -e "\033[75G[ \033[32mdone\033[m ]"
+}
+echo_ok() {
+   echo -e "\033[75G[ \033[32mok\033[m ]"
+}
+echo_warning() {
+   echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
+}
+echo_failed(){
+   echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
+}
+echo_skipped() {
+   echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
+}
+
+
+fatal (){
+   echo ""
+   echo -e "fatal Error: $*"
+   echo ""
+   echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
+   echo ""
+   exit 1
+}
+
+error(){
+   echo ""
+   echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
+   echo ""
+}
+
+warn (){
+   echo ""
+   echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   echo ""
+}
+
+info (){
+   echo ""
+   echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   echo ""
+}
+
+## - Check if a given array (parameter 2) contains a given string (parameter 1)
+## -
+containsElement () {
+   local e
+   for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+   return 1
+}
+
+is_number() {
+
+   return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
+
+   # - also possible
+   # -
+   #[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
+   #return $([[ ! -z "${1##*[!0-9]*}" ]])
+}
+
+trim() {
+    local var="$*"
+    var="${var#"${var%%[![:space:]]*}"}"   # remove leading whitespace characters
+    var="${var%"${var##*[![:space:]]}"}"   # remove trailing whitespace characters
+    echo -n "$var"
+}
+
+
+is_container() {
+  command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1
+}
+
+
+# -------------
+# - IPv6 handling
+# -------------
+
+ENABLE_IPV6="auto"   # auto | yes | no
+IPV6_ACTIVE=0
+
+ipv6_sysctl_enabled() {
+  sysctl -n net.ipv6.conf.all.disable_ipv6 2>/dev/null | grep -qx 0
+}
+
+has_ipv6_addr() {
+  ip -6 addr show scope global 2>/dev/null | grep -q "inet6"
+}
+
+detect_ipv6() {
+  case "$ENABLE_IPV6" in
+    yes)  return 0 ;;
+    no)   return 1 ;;
+    auto) ipv6_sysctl_enabled ;;
+    *)    return 1 ;;
+  esac
+}
+
+
+# -------------
+# - Network Device Stuff
+# -------------
+
+# get virtual ethernet interfaces and the master of the given bridge
+#
+get_vth_ports() {
+  local br="$1"
+  # lists virtual interfaces (veth*)) and the master interface of the given bridge
+  ip -o link show master "$br" 2>/dev/null | awk -F': ' '{print $2}'
+}
+
+# -------------
+# - Fail2ban
+# -------------
+
+FAIL2BAN_CONFIG_FILE="/etc/fail2ban/jail.local"
+FAIL2BAN_WAS_RUNNING=false
+fail2ban_client="$(command -v fail2ban-client 2>/dev/null)"
+has_fail2ban() {
+   command -v fail2ban-client >/dev/null 2>&1
+}
+
+fail2ban_running() {
+   systemctl is-active --quiet fail2ban >/dev/null 2>&1
+}
+
+# -------------
+# - Debian 12/13 compatibility helpers (best effort)
+# -------------
+ensure_mod() {
+
+   # ---
+   # Load a kernel module if possible (no hard failure).
+   # NOTE: In containers module loading is not possible; modules must be loaded on the host.
+   # ---
+
+   local m="$1"
+
+   # Already loaded?
+   if lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$m" ; then
+      return 0
+   fi
+
+   # Skip in containers/guests without module loading capability
+   #
+   is_container && return 0
+
+   # Best effort modprobe
+   /sbin/modprobe "$m" >/dev/null 2>&1 || warn "Loading module '$m' failed (ok if not needed on this host)."
+}
+
+# --- Feature detection helpers (Debian 12/13 + containers)
+module_loaded() {
+   lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$1"
+}
+
+can_use_recent() {
+   # xt_recent is the kernel module behind "-m recent"
+   # In containers lsmod may be restricted; also accept presence of /proc/net/xt_recent.
+   module_loaded xt_recent && return 0
+   [ -d /proc/net/xt_recent ] && return 0
+   # As a last resort, ask iptables to parse the match (works if userspace has it)
+   "$ipt" -m recent -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_hashlimit() {
+   # xt_hashlimit is the kernel module behind "-m hashlimit"
+   module_loaded xt_hashlimit && return 0
+   [ -d /proc/net/xt_hashlimit ] && return 0
+   "${fw_command}" -m hashlimit -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_connlimit() {
+   # xt_connlimit is the kernel module behind "-m connlimit"
+   module_loaded xt_connlimit && return 0
+   "${fw_command}" -m connlimit -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_owner() {
+   # xt_owner is the kernel module behind "-m owner"
+   module_loaded xt_owner && return 0
+   "${fw_command}" -m owner -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_ct_target() {
+   # Check if iptables CT target exists (iptables-nft should support it when kernel has nf_tables CT support)
+   "${fw_command}" -t raw -j CT -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_helper_match() {
+   # Check if helper match exists
+   "${fw_command}" -m helper -h >/dev/null 2>&1 && return 0
+   return 1
+}
+
+can_use_nft() {
+   command -v nft >/dev/null 2>&1 && return 0
+   return 1
+}
+
+setup_ftp_conntrack_helper_output() {
+   # Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
+   if can_use_ct_target ; then
+      "${fw_command}" -A OUTPUT -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
+      return 0
+   fi
+
+   # nft fallback (nft-native helper assignment); keeps us "nft-ready"
+   if can_use_nft ; then
+      # Best-effort; may fail in containers without CAP_NET_ADMIN
+      nft add table ip fwhelper >/dev/null 2>&1 || true
+      nft add chain ip fwhelper output '{ type filter hook output priority raw; policy accept; }' >/dev/null 2>&1 || true
+      nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
+      nft add rule ip fwhelper output tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
+   fi
+
+   warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP active/passive may fail; FTPS workaround relies on recent/port rules."
+   return 1
+}
+
+setup_ftp_conntrack_helper_prerouting() {
+   # Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
+   if can_use_ct_target ; then
+      "$ipt" -A PREROUTING -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
+      return 0
+   fi
+
+   # nft fallback (nft-native helper assignment); keeps us "nft-ready"
+   if can_use_nft ; then
+      nft add table ip fwhelper >/dev/null 2>&1 || true
+      nft add chain ip fwhelper prerouting '{ type filter hook prerouting priority raw; policy accept; }' >/dev/null 2>&1 || true
+      nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
+      nft add rule ip fwhelper prerouting tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
+   fi
+
+   warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP server traffic may fail; consider enabling passive port ranges."
+   return 1
+}
+
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+
+# -------------
+# --- Logging
+# -------------
+
+if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then 
+   tag_log_prefix="--nflog-prefix"
+   LOG_TARGET="NFLOG --nflog-group 11"
+else 
+   # - Log using the specified syslog level. 7 (debug) is a good choice 
+   # - unless you specifically need something else. 
+   # -
+   log_level=debug
+   LOG_TARGET="LOG --log-level $log_level"
+   tag_log_prefix="--log-prefix"
+fi
+
+log_all=false
+
+log_syn_flood=false
+log_port_scanning=false
+log_ssh_brute_force=false
+log_fragments=false
+log_mdns=false
+log_mndp=false
+log_new_not_sync=false
+log_syn_with_suspicious_mss=false
+log_invalid_packets=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_private_network_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_forwarding_priv_ip=false
+log_prohibited=false
+log_voip=false
+log_rejected=true
+
+log_blocked_ip=false
+
+log_ssh=false
+
+# - logging messages
+# -
+log_prefix="[ IPv4 ]"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+# - You can also give hostname(s)
+# -
+# - Blank seoarated list of ips/hostnames
+# -
+log_ips=""
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+
+# -------------
+# --- Logging
+# -------------
+
+if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then 
+   tag_log_prefix="--nflog-prefix"
+   LOG_TARGET="NFLOG --nflog-group 12"
+else 
+   # - Log using the specified syslog level. 7 (debug) is a good choice 
+   # - unless you specifically need something else. 
+   # -
+   log_level=debug
+   LOG_TARGET="LOG --log-level $log_level"
+   tag_log_prefix="--log-prefix"
+fi
+
+log_all=false
+
+log_syn_flood=false
+log_port_scanning=false
+log_ssh_brute_force=false
+log_fragments=false
+log_mdns=false
+log_mndp=false
+log_new_not_sync=false
+log_syn_with_suspicious_mss=false
+log_invalid_packets=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_private_network_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_forwarding_priv_ip=false
+log_prohibited=false
+log_voip=false
+log_rejected=true
+
+log_blocked_ip=false
+
+log_ssh=false
+
+# - logging messages
+# -
+log_prefix="[ IPv6 ]"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+# - You can also give hostname(s)
+# -
+# - Blank seoarated list of ips/hostnames
+# -
+log_ips=""
+
@@ -0,0 +1,621 @@
+#!/usr/bin/env bash
+
+
+# -----------
+# --- Define Arrays
+# -----------
+
+# ---
+# NAT (Masquerade) Network interfaces
+# ---
+
+declare -a nat_device_arr=()
+for _dev in $nat_devices ; do
+   if ! containsElement $_dev "${nat_device_arr[@]}" ; then
+      nat_device_arr+=("$_dev")
+   fi
+done
+
+
+# ---
+# IP Addresses LX Guest System
+# ---
+
+declare -a lxc_guest_ip_arr=()
+for _ip in $lxc_guest_ips ; do
+   lxc_guest_ip_arr+=("$_ip")
+done
+
+
+# ---
+# local Interfaces
+# ---
+
+declare -a local_ip_arr=()
+for _ip in $local_ips ; do
+   local_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Addresses to log
+# ---
+declare -a log_ip_arr
+for _ip in $log_ips ; do
+   log_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - LOG CGI script Traffic out
+# ---
+declare -a cgi_script_user_arr=()
+for _user in $cgi_script_users ; do
+   cgi_script_user_arr+=($_user)
+done
+
+
+# ---
+# - IP-Addresses (Host, Guests (VServer, LX_Container)
+# ---
+declare -a ext_ip_arr
+for _ip in $ext_ips ; do
+   host_ip_arr+=("$_ip")
+done
+
+# ---
+# - Extern Interfaces
+# ---
+declare -a ext_if_arr
+for _dev in $ext_ifs ; do
+   ext_if_arr+=("$_dev")
+done
+
+# ---
+# - VPN Interfaces
+# ---
+declare -a vpn_if_arr
+for _dev in $vpn_ifs ; do
+   vpn_if_arr+=("$_dev")
+done
+
+# ---
+# - WireGuard Interfaces
+# ---
+declare -a wg_if_arr
+for _dev in $wg_ifs ; do
+   wg_if_arr+=("$_dev")
+done
+
+# ---
+# - Local Network Interfaces
+# ---
+declare -a local_if_arr
+for _dev in $local_ifs ; do
+   local_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces completly blocked
+# ---
+declare -a blocked_if_arr
+for _dev in $blocked_ifs ; do
+   blocked_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces not firewalled
+# ---
+declare -a unprotected_if_arr
+for _dev in $unprotected_ifs ; do
+   unprotected_if_arr+=("$_dev")
+done
+
+# ---
+# - Restrict local Servive to given IP-Address/Network
+# ---
+declare -a restrict_local_service_to_net_arr
+for _val in $restrict_local_service_to_net ; do
+   restrict_local_service_to_net_arr+=("$_val")
+done
+
+# ---
+# - Restrict local Network to given IP-Address/Network
+# ---
+declare -a restrict_local_net_to_net_arr
+for _val in $restrict_local_net_to_net ; do
+   restrict_local_net_to_net_arr+=("$_val")
+done
+
+# ---
+# - Allow extern Service 
+# ---
+declare -a allow_ext_service_arr
+for _val in $allow_ext_service ; do
+   allow_ext_service_arr+=("$_val")
+done
+
+# ---
+# - Allow extern IP-Address/Network
+# ---
+declare -a allow_ext_net_arr
+for _net in $allow_ext_net ; do
+   allow_ext_net_arr+=("$_net")
+done
+
+# ---
+# - Allow (non-standard) local Services 
+# ---
+declare -a allow_local_service_arr
+for _val in $allow_local_service ; do
+   allow_local_service_arr+=("$_val")
+done
+
+# ---
+# - Allow (non-standard) local Services from specified network
+# ---
+declare -a allow_local_service_from_network_arr
+for _service in $allow_local_service_from_networks ; do
+   allow_local_service_from_network_arr+=("$_service")
+done
+
+# ---
+# - Generally block ports
+# ---
+declare -a block_tcp_port_arr
+for _port in $block_tcp_ports ; do
+   block_tcp_port_arr+=("$_port")
+done
+
+declare -a block_udp_port_arr
+for _port in $block_udp_ports ; do
+   block_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Private IPs / IP-Ranges allowed to forward
+# ---
+declare -a forward_private_ip_arr
+for _ip in $forward_private_ips ; do
+   forward_private_ip_arr+=("$_ip")
+done
+
+# ---
+# - Network Interfaces DHCP Service
+# ---
+declare -a dhcp_server_if_arr
+for _dev in $dhcp_server_ifs ; do
+   dhcp_server_if_arr+=($_dev)
+done
+declare -a dhcp_client_if_arr
+for _dev in $dhcp_client_ifs ; do
+   dhcp_client_if_arr+=($_dev)
+done
+
+# ---
+# - IP Addresses DNS Server
+# ---
+# - local
+declare -a dns_server_ip_arr
+for _ip in $dns_server_ips ; do
+   dns_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_dns_server_ip_arr
+for _ip in $forward_dns_server_ips ; do
+   forward_dns_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - Netwoks allowed access to local DNS Resolver
+# ---
+declare -a resolver_allowed_network_arr
+for _net in $resolver_allowed_networks ; do
+   resolver_allowed_network_arr+=("$_net")
+done
+
+# ---
+# - IP Addresses VPN Server
+# ---
+# local
+declare -a vpn_server_ip_arr
+for _ip in $vpn_server_ips ; do
+   vpn_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_vpn_server_ip_arr
+for _ip in $forward_vpn_server_ips ; do
+   forward_vpn_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses WireGuard Service
+# ---
+# local
+declare -a wireguard_server_ip_arr
+for _ip in $wireguard_server_ips ; do
+   wireguard_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_wireguard_server_ip_arr
+for _ip in $forward_wireguard_server_ips ; do
+   forward_wireguard_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses SSH Server
+# ---
+# local
+declare -a ssh_server_ip_arr
+for _ip in $ssh_server_ips ; do
+   ssh_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_ssh_server_ip_arr
+for _ip in $forward_ssh_server_ips ; do
+   forward_ssh_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses HTTP Server
+# ---
+# local
+declare -a http_server_ip_arr
+for _ip in $http_server_ips ; do
+   http_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_http_server_ip_arr
+for _ip in $forward_http_server_ips ; do
+   forward_http_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses MatterMost Service
+# ---
+# local
+declare -a mm_server_ip_arr
+for _ip in $mm_server_ips ; do
+   mm_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mm_server_ip_arr
+for _ip in $forward_mm_server_ips ; do
+   forward_mm_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses FTP Server
+# ---
+# local
+declare -a ftp_server_ip_arr
+for _ip in $ftp_server_ips ; do
+   ftp_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_ftp_server_ip_arr
+for _ip in $forward_ftp_server_ips ; do
+   forward_ftp_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - Mail SMTP Server
+# ---
+# local
+declare -a smtpd_ips_arr
+for _ip in $smtpd_ips ; do
+   smtpd_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_smtpd_ip_arr
+for _ip in $forward_smtpd_ips ; do
+   forward_smtpd_ip_arr+=("$_ip")
+done
+
+
+# ---
+# Additional SMTP Listen Ports
+# ---
+declare -a smtpd_additional_listen_port_arr
+for _port in $smtpd_additional_listen_ports ; do
+   smtpd_additional_listen_port_arr+=("$_port")
+done
+
+
+# ---
+# Additional SMTP Outgoing Ports
+# ---
+declare -a smtpd_additional_outgoung_port_arr
+for _port in $smtpd_additional_outgoung_ports ; do
+   smtpd_additional_outgoung_port_arr+=("$_port")
+done
+
+
+
+# ---
+# - IP Addresses XMPP Service (Jabber - Prosody)
+# ---
+declare -a xmpp_server_ip_arr
+for _ip in $xmpp_server_ips ; do
+   xmpp_server_ip_arr+=("$_ip")
+done
+
+declare -a forward_xmpp_server_ip_arr
+for _ip in $forward_xmpp_server_ips ; do
+   forward_xmpp_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - XMPP Remote Dovecote Out Service
+# ---
+declare -a xmmp_remote_out_service_arr
+for _val in $xmmp_remote_out_services ; do
+   xmmp_remote_out_service_arr+=("$_val")
+done
+
+# ---
+# - Mail Services (smtps/pop(s)/imap(s)
+# ---
+# local
+declare -a mail_server_ips_arr
+for _ip in $mail_server_ips ; do
+   mail_server_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mail_server_ip_arr
+for _ip in $forward_mail_server_ips ; do
+   forward_mail_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - Mail client (smtps/pop(s)/imap(s)
+# ---
+# local
+declare -a mail_client_ips_arr
+for _ip in $mail_client_ips ; do
+   mail_client_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mail_client_ip_arr
+for _ip in $forward_mail_client_ips ; do
+   forward_mail_client_ip_arr+=("$_ip")
+done
+
+# ---
+# - (local) Dovecot auth service
+# ---
+declare -a dovecot_auth_allowed_network_arr
+for _ip in $dovecot_auth_allowed_networks ; do
+   dovecot_auth_allowed_network_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Mumble Server
+# ---
+# local
+declare -a mumble_server_ip_arr
+for _ip in $mumble_server_ips ; do
+   mumble_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mumble_server_ip_arr
+for _ip in $forward_mumble_server_ips ; do
+   forward_mumble_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Jitsi Video Conferencing Server
+# ---
+declare -a jitsi_server_ip_arr
+for _ip in $jitsi_server_ips ; do
+   jitsi_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_jitsi_server_ip_arr
+for _ip in $forward_jitsi_server_ips ; do
+   forward_jitsi_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Remote Jibri Server
+# ---
+declare -a jitsi_jibri_remote_ip_arr
+for _ip in $jitsi_jibri_remote_ips ; do
+   jitsi_jibri_remote_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Jibri Recording / Streaming Server
+# ---
+declare -a jibri_server_ip_arr
+for _ip in $jibri_server_ips ; do
+   jibri_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_jibri_server_ip_arr
+for _ip in $forward_jibri_server_ips ; do
+   forward_jibri_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app)
+# ---
+# local
+declare -a nc_turn_server_ip_arr
+for _ip in $nc_turn_server_ips ; do
+   nc_turn_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_nc_turn_server_ip_arr
+for _ip in $forward_nc_turn_server_ips ; do
+   forward_nc_turn_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Telephone Systems
+# ---
+declare -a tel_sys_ip_arr
+for _ip in $tel_sys_ips ; do
+   tel_sys_ip_arr+=("$_ip")
+done
+
+# ---
+# - Prometheus Monitoring - local Server
+# ---
+declare -a prometheus_local_server_ip_arr
+for _ip in $prometheus_local_server_ips ; do
+   prometheus_local_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - Prometheus Monitoring - local Client
+# ---
+declare -a prometheus_local_client_ip_arr
+for _ip in $prometheus_local_client_ips; do
+   prometheus_local_client_ip_arr+=("$_ip")
+done
+declare -a prometheus_remote_server_ip_arr
+for _ip in $prometheus_remote_server_ips ; do
+   prometheus_remote_server_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Addresses Munin
+# ---
+# local
+declare -a munin_server_ip_arr
+for _ip in $munin_server_ips ; do
+   munin_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_munin_server_ip_arr
+for _ip in $forward_munin_server_ips ; do
+   forward_munin_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses XyMon
+# ---
+declare -a xymon_server_ip_arr
+for _ip in $xymon_server_ips ; do
+   xymon_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Rsync Out
+# ---
+# local
+declare -a rsync_out_ip_arr
+for _ip in $rsync_out_ips ; do
+   rsync_out_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_rsync_out_ip_arr
+for _ip in $forward_rsync_out_ips ; do
+   forward_rsync_out_ip_arr+=("$_ip")
+done
+
+# ---
+# - SSH Ports
+# ---
+declare -a ssh_port_arr
+for _port in $ssh_ports ; do
+   ssh_port_arr+=("$_port")
+done
+
+# ---
+# - XMPP Service (Jabber - Prosody)
+# ---
+declare -a xmmp_tcp_in_port_arr
+for _port in $xmmp_tcp_in_ports ; do
+   xmmp_tcp_in_port_arr+=("$_port")
+done
+
+declare -a xmmp_tcp_out_port_arr
+for _port in $xmmp_tcp_out_ports ; do
+   xmmp_tcp_out_port_arr+=("$_port")
+done
+
+# ---
+# - VPN Ports
+# ---
+# local
+declare -a vpn_port_arr
+for _port in $vpn_ports ; do
+   vpn_port_arr+=("$_port")
+done
+
+# ---
+# - Wireguard Ports (local Service)
+# ---
+# local
+declare -a wireguard_server_port_arr
+for _port in $wireguard_server_ports ; do
+   wireguard_server_port_arr+=("$_port")
+done
+
+# ---
+# - Wireguard out Ports
+# ---
+# local
+declare -a wireguard_out_port_port_arr
+for _port in $wireguard_out_ports ; do
+   wireguard_out_port_port_arr+=("$_port")
+done
+
+
+# ---
+# - Rsync Out Ports
+# --
+declare -a rsync_port_arr
+for _port in $rsync_ports ; do
+   rsync_port_arr+=("$_port")
+done
+
+
+# ---
+# - Special TCP Ports OUT
+# ---
+# local
+declare -a tcp_out_port_arr
+for _port in $tcp_out_ports ; do
+   tcp_out_port_arr+=("$_port")
+done
+# DMZ
+declare -a forward_tcp_out_port_arr
+for _port in $forward_tcp_out_ports ; do
+   forward_tcp_out_port_arr+=("$_port")
+done
+
+# ---
+# - Special UDP Ports OUT
+# ---
+# local
+declare -a udp_out_port_arr
+for _port in $udp_out_ports ; do
+   udp_out_port_arr+=("$_port")
+done
+# DMZ
+declare -a forward_udp_out_port_arr
+for _port in $forward_udp_out_ports ; do
+   forward_udp_out_port_arr+=("$_port")
+done
+
+
+# ---
+# - Portforwrds TCP
+# ---
+declare -a portforward_tcp_arr
+for _str in $portforward_tcp ; do
+   portforward_tcp_arr+=("$_str")
+done
+
+# ---
+# - Portforwrds UDP
+# ---
+declare -a portforward_udp_arr
+for _str in $portforward_udp ; do
+   portforward_udp_arr+=("$_str")
+done
+
@@ -0,0 +1,13 @@
+[Unit]
+Description=IPv6 Firewall with ip6tables
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ip6t-firewall-server start
+ExecStop=/usr/local/sbin/ip6t-firewall-server stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,13 @@
+[Unit]
+Description=IPv4 Firewall with iptables
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ipt-firewall-server start
+ExecStop=/usr/local/sbin/ipt-firewall-server stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,15 @@
+---
+
+- name: Reload systemd daemon
+  systemd:
+    daemon_reload: true
+
+- name: Restart IPv4 Firewall
+  service:
+    name: ipt-firewall
+    state: restarted
+
+- name: Restart IPv6 Firewall
+  service:
+    name: ip6t-firewall
+    state: restarted
@@ -0,0 +1,215 @@
+---
+
+# ===
+# Ensure /etc/ipt-firewall directory exists
+# ===
+
+- name: Create /etc/ipt-firewall if not present
+  file:
+    path: /etc/ipt-firewall
+    state: directory
+    owner: root
+    group: root
+    mode: "0750"
+
+
+# ===
+# Check presence of host-specific config files
+# ===
+
+- name: Check if interfaces_ipv4.conf exists
+  stat:
+    path: /etc/ipt-firewall/interfaces_ipv4.conf
+  register: interfaces_ipv4_exists
+
+- name: Check if interfaces_ipv6.conf exists
+  stat:
+    path: /etc/ipt-firewall/interfaces_ipv6.conf
+  register: interfaces_ipv6_exists
+
+- name: Check if main_ipv4.conf exists
+  stat:
+    path: /etc/ipt-firewall/main_ipv4.conf
+  register: main_ipv4_exists
+
+- name: Check if main_ipv6.conf exists
+  stat:
+    path: /etc/ipt-firewall/main_ipv6.conf
+  register: main_ipv6_exists
+
+
+# ===
+# Deploy host-specific config files from templates.
+#
+# Safety guard: by default (fw_manage_config: false) a file is only written
+# when it does not yet exist on the host — so existing hosts are never touched
+# accidentally.
+#
+# Once a host has been migrated (host_vars populated and diff verified), set
+#   fw_manage_config: true
+# in its host_vars. From that point on Ansible is the authoritative source and
+# will update the config on every run, triggering a firewall restart on changes.
+# ===
+
+- name: Deploy interfaces_ipv4.conf from template
+  template:
+    src: etc/ipt-firewall/interfaces_ipv4.conf.j2
+    dest: /etc/ipt-firewall/interfaces_ipv4.conf
+    owner: root
+    group: root
+    mode: "0640"
+  when: fw_manage_config or not interfaces_ipv4_exists.stat.exists
+  notify:
+    - Restart IPv4 Firewall
+
+- name: Deploy interfaces_ipv6.conf from template
+  template:
+    src: etc/ipt-firewall/interfaces_ipv6.conf.j2
+    dest: /etc/ipt-firewall/interfaces_ipv6.conf
+    owner: root
+    group: root
+    mode: "0640"
+  when: fw_manage_config or not interfaces_ipv6_exists.stat.exists
+  notify:
+    - Restart IPv6 Firewall
+
+- name: Deploy main_ipv4.conf from template
+  template:
+    src: etc/ipt-firewall/main_ipv4.conf.j2
+    dest: /etc/ipt-firewall/main_ipv4.conf
+    owner: root
+    group: root
+    mode: "0640"
+  when: fw_manage_config or not main_ipv4_exists.stat.exists
+  notify:
+    - Restart IPv4 Firewall
+
+- name: Deploy main_ipv6.conf from template
+  template:
+    src: etc/ipt-firewall/main_ipv6.conf.j2
+    dest: /etc/ipt-firewall/main_ipv6.conf
+    owner: root
+    group: root
+    mode: "0640"
+  when: fw_manage_config or not main_ipv6_exists.stat.exists
+  notify:
+    - Restart IPv6 Firewall
+
+
+# ===
+# Firewall scripts
+# ===
+
+- name: Deploy ipt-firewall-server
+  copy:
+    src: usr/local/sbin/ipt-firewall-server
+    dest: /usr/local/sbin/ipt-firewall-server
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: Deploy ip6t-firewall-server
+  copy:
+    src: usr/local/sbin/ip6t-firewall-server
+    dest: /usr/local/sbin/ip6t-firewall-server
+    owner: root
+    group: root
+    mode: "0750"
+
+
+# ===
+# Shared conf files (not host-specific — always kept in sync with the role)
+# ===
+
+- name: Deploy shared conf files
+  copy:
+    src: "etc/ipt-firewall/{{ item }}"
+    dest: "/etc/ipt-firewall/{{ item }}"
+    owner: root
+    group: root
+    mode: "0640"
+  loop:
+    - default_settings.conf
+    - include_functions.conf
+    - logging_ipv4.conf
+    - logging_ipv6.conf
+    - post_declarations.conf
+
+
+# ===
+# Ban lists — copy from sample once; the file can be customised per host.
+# ===
+
+- name: Check if ban_ipv4.list exists
+  stat:
+    path: /etc/ipt-firewall/ban_ipv4.list
+  register: ban_ipv4_exists
+
+- name: Copy ban_ipv4.list from sample (first install only)
+  copy:
+    src: etc/ipt-firewall/ban_ipv4.list.sample
+    dest: /etc/ipt-firewall/ban_ipv4.list
+    owner: root
+    group: root
+    mode: "0640"
+  when: not ban_ipv4_exists.stat.exists
+
+- name: Check if ban_ipv6.list exists
+  stat:
+    path: /etc/ipt-firewall/ban_ipv6.list
+  register: ban_ipv6_exists
+
+- name: Copy ban_ipv6.list from sample (first install only)
+  copy:
+    src: etc/ipt-firewall/ban_ipv6.list.sample
+    dest: /etc/ipt-firewall/ban_ipv6.list
+    owner: root
+    group: root
+    mode: "0640"
+  when: not ban_ipv6_exists.stat.exists
+
+
+# ===
+# Systemd service units
+# ===
+
+- name: Deploy ipt-firewall.service
+  copy:
+    src: etc/systemd/system/ipt-firewall.service
+    dest: /etc/systemd/system/ipt-firewall.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - Reload systemd daemon
+    - Restart IPv4 Firewall
+
+- name: Deploy ip6t-firewall.service
+  copy:
+    src: etc/systemd/system/ip6t-firewall.service
+    dest: /etc/systemd/system/ip6t-firewall.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - Reload systemd daemon
+    - Restart IPv6 Firewall
+
+
+# ===
+# Enable and start services
+# ===
+
+- name: Enable and start ipt-firewall
+  systemd:
+    name: ipt-firewall
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: Enable and start ip6t-firewall
+  systemd:
+    name: ip6t-firewall
+    enabled: true
+    state: started
+    daemon_reload: true
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# {{ ansible_managed }}
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - External interface(s)
+#
+ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
+ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
+ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
+
+ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
+
+
+# - VPN Interfaces
+# -    (comma separated list)
+vpn_ifs="{{ fw_vpn_ifs }}"
+
+
+# - Wireguard Interfaces
+# -    (comma separated list)
+wg_ifs="{{ fw_wg_ifs }}"
+
+
+# - Local Interfaces
+local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
+local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
+local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
+
+local_ifs="{{ fw_local_interfaces | join(' ') }}"
+
+
+# -------------
+# --- IP-Addresses
+# -------------
+
+# - Extern IP Addresses on this Host
+#
+ext_1_ip="{{ fw_ext_ips_v4[0] if fw_ext_ips_v4 | length >= 1 else '' }}"
+ext_2_ip="{{ fw_ext_ips_v4[1] if fw_ext_ips_v4 | length >= 2 else '' }}"
+ext_3_ip="{{ fw_ext_ips_v4[2] if fw_ext_ips_v4 | length >= 3 else '' }}"
+
+ext_ips="{{ fw_ext_ips_v4 | join(' ') }}"
+
+local_1_ip="{{ fw_local_ips_v4[0] if fw_local_ips_v4 | length >= 1 else '' }}"
+local_2_ip="{{ fw_local_ips_v4[1] if fw_local_ips_v4 | length >= 2 else '' }}"
+local_3_ip="{{ fw_local_ips_v4[2] if fw_local_ips_v4 | length >= 3 else '' }}"
+
+local_ips="{{ fw_local_ips_v4 | join(' ') }}"
+
+
+# -------------
+# --- IP-Addresses LXC Guest Systems
+# -------------
+
+lxc_guest_1_ip="{{ fw_lxc_guest_ips_v4[0] if fw_lxc_guest_ips_v4 | length >= 1 else '' }}"
+lxc_guest_2_ip="{{ fw_lxc_guest_ips_v4[1] if fw_lxc_guest_ips_v4 | length >= 2 else '' }}"
+lxc_guest_3_ip="{{ fw_lxc_guest_ips_v4[2] if fw_lxc_guest_ips_v4 | length >= 3 else '' }}"
+lxc_guest_4_ip="{{ fw_lxc_guest_ips_v4[3] if fw_lxc_guest_ips_v4 | length >= 4 else '' }}"
+lxc_guest_5_ip="{{ fw_lxc_guest_ips_v4[4] if fw_lxc_guest_ips_v4 | length >= 5 else '' }}"
+lxc_guest_6_ip="{{ fw_lxc_guest_ips_v4[5] if fw_lxc_guest_ips_v4 | length >= 6 else '' }}"
+lxc_guest_7_ip="{{ fw_lxc_guest_ips_v4[6] if fw_lxc_guest_ips_v4 | length >= 7 else '' }}"
+
+lxc_guest_ips="{{ fw_lxc_guest_ips_v4 | join(' ') }}"
+
+
+# - Devices given in list "nat_devices" will be natted
+# -
+# - Blank separated list
+# -
+nat_devices="{{ fw_nat_devices }}"
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# {{ ansible_managed }}
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - External interface(s)
+#
+ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
+ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
+ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
+
+ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
+
+
+# - VPN Interfaces
+# -    (comma separated list)
+vpn_ifs="{{ fw_vpn_ifs }}"
+
+
+# - Wireguard Interfaces
+# -    (comma separated list)
+wg_ifs="{{ fw_wg_ifs }}"
+
+
+# - Local Interfaces
+local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
+local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
+local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
+
+local_ifs="{{ fw_local_interfaces | join(' ') }}"
+
+
+# -------------
+# --- IP-Addresses
+# -------------
+
+# - Extern IP Addresses on this Host
+#
+ext_1_ip="{{ fw_ext_ips_v6[0] if fw_ext_ips_v6 | length >= 1 else '' }}"
+ext_2_ip="{{ fw_ext_ips_v6[1] if fw_ext_ips_v6 | length >= 2 else '' }}"
+ext_3_ip="{{ fw_ext_ips_v6[2] if fw_ext_ips_v6 | length >= 3 else '' }}"
+
+ext_ips="{{ fw_ext_ips_v6 | join(' ') }}"
+
+local_1_ip="{{ fw_local_ips_v6[0] if fw_local_ips_v6 | length >= 1 else '' }}"
+local_2_ip="{{ fw_local_ips_v6[1] if fw_local_ips_v6 | length >= 2 else '' }}"
+local_3_ip="{{ fw_local_ips_v6[2] if fw_local_ips_v6 | length >= 3 else '' }}"
+
+local_ips="{{ fw_local_ips_v6 | join(' ') }}"
+
+
+# -------------
+# --- IP-Addresses LXC Guest Systems
+# -------------
+
+lxc_guest_1_ip="{{ fw_lxc_guest_ips_v6[0] if fw_lxc_guest_ips_v6 | length >= 1 else '' }}"
+lxc_guest_2_ip="{{ fw_lxc_guest_ips_v6[1] if fw_lxc_guest_ips_v6 | length >= 2 else '' }}"
+lxc_guest_3_ip="{{ fw_lxc_guest_ips_v6[2] if fw_lxc_guest_ips_v6 | length >= 3 else '' }}"
+lxc_guest_4_ip="{{ fw_lxc_guest_ips_v6[3] if fw_lxc_guest_ips_v6 | length >= 4 else '' }}"
+lxc_guest_5_ip="{{ fw_lxc_guest_ips_v6[4] if fw_lxc_guest_ips_v6 | length >= 5 else '' }}"
+lxc_guest_6_ip="{{ fw_lxc_guest_ips_v6[5] if fw_lxc_guest_ips_v6 | length >= 6 else '' }}"
+lxc_guest_7_ip="{{ fw_lxc_guest_ips_v6[6] if fw_lxc_guest_ips_v6 | length >= 7 else '' }}"
+
+lxc_guest_ips="{{ fw_lxc_guest_ips_v6 | join(' ') }}"
@@ -0,0 +1,357 @@
+#!/usr/bin/env bash
+# {{ ansible_managed }}
+
+
+## ----------------------------------------------------------------
+## --- Main Configurations IPv4 Firewall
+## ----------------------------------------------------------------
+
+
+# -------------
+# --- Bridged / LXC traffic
+# -------------
+
+do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
+do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
+
+
+# -------------
+# --- Drop ICMP / MNDP / mDNS
+# -------------
+
+drop_icmp={{ fw_drop_icmp | lower }}
+drop_mndp={{ fw_drop_mndp | lower }}
+drop_mdns={{ fw_drop_mdns | lower }}
+
+
+# -------------
+# --- Outgoing traffic
+# -------------
+
+allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
+
+
+# -------------
+# --- Interface policy
+# -------------
+
+blocked_ifs="{{ fw_blocked_ifs }}"
+unprotected_ifs="{{ fw_unprotected_ifs }}"
+
+
+# -------------
+# --- Forwarding / Routing
+# -------------
+
+# Private IPs to forward (CIDR notation, blank separated)
+forward_private_ips="{{ fw_forward_private_ips_v4 }}"
+
+
+# -------------
+# --- Access control (source-based)
+# -------------
+
+# restrict_local_service_to_net="ext-net:local-address:port:protocol"
+restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v4 }}"
+
+# restrict_local_net_to_net="<src-ext-net>:<dst-local-net>"
+restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v4 }}"
+
+# allow_ext_service="<ext-ip>:<ext_port>:<protocol>"
+allow_ext_service="{{ fw_allow_ext_service_v4 }}"
+
+# allow_ext_net="<ext-ip/net>"  (blank separated)
+allow_ext_net="{{ fw_allow_ext_net_v4 }}"
+
+# allow_local_service="<port>:<protocol>"  (blank separated)
+allow_local_service="{{ fw_allow_local_service_v4 }}"
+
+# allow_local_service_from_networks="<ext-net>:<local-port>:<protocol>"
+allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v4 }}"
+
+
+# -------------
+# --- Services: VPN / WireGuard
+# -------------
+
+vpn_server_ips="{{ fw_vpn_server_ips }}"
+forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
+vpn_ports="{{ fw_vpn_ports }}"
+
+wireguard_server_ips="{{ fw_wireguard_server_ips }}"
+forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
+wireguard_server_ports="{{ fw_wireguard_server_ports }}"
+wireguard_out_ports="{{ fw_wireguard_out_ports }}"
+
+
+# -------------
+# --- Services: NTP
+# -------------
+
+local_ntp_service={{ fw_local_ntp_service | lower }}
+ntp_port="{{ fw_ntp_port }}"
+ntp_allowed_net="{{ fw_ntp_allowed_net }}"
+
+
+# -------------
+# --- Services: DHCP (IPv4 only)
+# -------------
+
+# Comma separated list of interfaces providing DHCP
+dhcp_server_ifs="{{ fw_dhcp_server_ifs }}"
+
+# Comma separated list of interfaces acting as DHCP clients
+dhcp_client_ifs="{{ fw_dhcp_client_ifs }}"
+
+
+# -------------
+# --- Services: DNS
+# -------------
+
+dns_server_ips="{{ fw_dns_server_ips }}"
+forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
+
+local_resolver_service={{ fw_local_resolver_service | lower }}
+resolver_port="{{ fw_resolver_port }}"
+# resolver_allowed_networks="192.68.11.64/27 194.150.169.139"
+resolver_allowed_networks="{{ fw_resolver_allowed_networks_v4 }}"
+
+
+# -------------
+# --- Services: SSH
+# -------------
+
+ssh_server_ips="{{ fw_ssh_server_ips }}"
+forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
+ssh_ports="{{ fw_ssh_ports }}"
+
+
+# -------------
+# --- Services: HTTP(S)
+# -------------
+
+http_server_ips="{{ fw_http_server_ips }}"
+forward_http_server_ips="{{ fw_forward_http_server_ips }}"
+http_ports="{{ fw_http_ports }}"
+
+log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
+cgi_script_users="{{ fw_cgi_script_users }}"
+
+
+# -------------
+# --- Services: Mattermost
+# -------------
+
+mm_server_ips="{{ fw_mm_server_ips }}"
+forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
+mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
+mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
+
+
+# -------------
+# --- Services: Mail (SMTP / IMAP / POP)
+# -------------
+
+smtpd_ips="{{ fw_smtpd_ips }}"
+forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
+smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
+smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
+
+mail_server_ips="{{ fw_mail_server_ips }}"
+forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
+mail_user_ports="{{ fw_mail_user_ports }}"
+
+mail_client_ips="{{ fw_mail_client_ips }}"
+forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
+
+dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
+dovecot_auth_port="{{ fw_dovecot_auth_port }}"
+# dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139"
+dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v4 }}"
+
+
+# -------------
+# --- Services: FTP
+# -------------
+
+ftp_server_ips="{{ fw_ftp_server_ips }}"
+forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
+ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
+
+
+# -------------
+# --- Services: XMPP (Jabber / Prosody)
+# -------------
+
+xmpp_server_ips="{{ fw_xmpp_server_ips }}"
+forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
+xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
+xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
+# xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444"
+xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v4 }}"
+
+
+# -------------
+# --- Services: Mumble
+# -------------
+
+mumble_server_ips="{{ fw_mumble_server_ips }}"
+forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
+mumble_ports="{{ fw_mumble_ports }}"
+
+
+# -------------
+# --- Services: Jitsi / Jibri
+# -------------
+
+jitsi_server_ips="{{ fw_jitsi_server_ips }}"
+forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
+jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
+jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
+jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
+jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
+jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
+jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
+jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
+jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
+jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
+jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
+
+jibri_server_ips="{{ fw_jibri_server_ips }}"
+forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
+jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
+jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
+
+
+# -------------
+# --- Services: TURN / STUN (Nextcloud Talk)
+# -------------
+
+nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
+forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
+nc_turn_ports="{{ fw_nc_turn_ports }}"
+nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
+
+
+# -------------
+# --- Services: TFTP (not yet implemented)
+# -------------
+
+tftp_server_ips="{{ fw_tftp_server_ips }}"
+
+
+# -------------
+# --- Services: Prometheus
+# -------------
+
+prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
+prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
+
+prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
+prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
+prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
+
+
+# -------------
+# --- Services: Munin
+# -------------
+
+munin_server_ips="{{ fw_munin_server_ips }}"
+forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
+munin_remote_port="{{ fw_munin_remote_port }}"
+
+munin_remote_ip="{{ munin_remote_ipv4 }}"
+munin_local_port="{{ fw_munin_local_port }}"
+
+
+# -------------
+# --- Services: Xymon (not yet implemented)
+# -------------
+
+xymon_server_ips="{{ fw_xymon_server_ips }}"
+local_xymon_client={{ fw_local_xymon_client | lower }}
+xymon_port="{{ fw_xymon_port }}"
+
+
+# -------------
+# --- Protocols out: Rsync
+# -------------
+
+rsync_out_ips="{{ fw_rsync_out_ips }}"
+forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
+rsync_ports="{{ fw_rsync_ports }}"
+
+
+# -------------
+# --- Special ports (OUT)
+# -------------
+
+tcp_out_ports="{{ fw_tcp_out_ports }}"
+forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
+udp_out_ports="{{ fw_udp_out_ports }}"
+forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
+
+
+# =============
+# --- Portforwarding (IPv4)
+# --- Format: "<device-in>:<src-ip>:<port-in>:<ip-to-forward>:<port-out>"
+# =============
+
+portforward_tcp="{{ fw_portforward_tcp_v4 }}"
+portforward_udp="{{ fw_portforward_udp_v4 }}"
+
+
+# -------------
+# --- Blocked IPs / Ports
+# -------------
+
+blocked_ips="{{ fw_blocked_ips }}"
+block_tcp_ports="{{ fw_block_tcp_ports }}"
+block_udp_ports="{{ fw_block_udp_ports }}"
+
+
+# -------------
+# --- Special / Counters
+# -------------
+
+create_traffic_counter={{ fw_create_traffic_counter | lower }}
+create_iperf_rules={{ fw_create_iperf_rules | lower }}
+
+
+# -------------
+# --- Protection
+# -------------
+
+protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
+protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
+protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
+
+
+# -------------
+# --- Connection limits
+# -------------
+
+limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
+per_IP_connection_limit={{ fw_per_IP_connection_limit }}
+
+limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
+limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
+
+
+# -------------
+# --- Kernel parameters (IPv4)
+# -------------
+
+kernel_activate_forwarding={{ fw_kernel_activate_forwarding | lower }}
+
+kernel_support_dynaddr={{ fw_kernel_support_dynaddr | lower }}
+dynaddr_flag="{{ fw_dynaddr_flag }}"
+
+kernel_reduce_timeouts={{ fw_kernel_reduce_timeouts | lower }}
+kernel_tcp_syncookies={{ fw_kernel_tcp_syncookies | lower }}
+kernel_protect_against_icmp_bogus_messages={{ fw_kernel_protect_against_icmp_bogus_messages | lower }}
+kernel_ignore_broadcast_ping={{ fw_kernel_ignore_broadcast_ping | lower }}
+kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
+kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}
+kernel_activate_rp_filter={{ fw_kernel_activate_rp_filter | lower }}
+kernel_log_martians={{ fw_kernel_log_martians | lower }}
@@ -0,0 +1,337 @@
+#!/usr/bin/env bash
+# {{ ansible_managed }}
+
+
+## ----------------------------------------------------------------
+## --- Main Configurations IPv6 Firewall
+## ----------------------------------------------------------------
+
+
+# -------------
+# --- Bridged / LXC traffic
+# -------------
+
+do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
+do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
+
+
+# -------------
+# --- Drop ICMP / MNDP / mDNS
+# -------------
+
+drop_icmp={{ fw_drop_icmp | lower }}
+drop_mndp={{ fw_drop_mndp | lower }}
+drop_mdns={{ fw_drop_mdns | lower }}
+
+
+# -------------
+# --- Outgoing traffic
+# -------------
+
+allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
+
+
+# -------------
+# --- Interface policy
+# -------------
+
+blocked_ifs="{{ fw_blocked_ifs }}"
+unprotected_ifs="{{ fw_unprotected_ifs }}"
+
+
+# -------------
+# --- Forwarding / Routing
+# -------------
+
+# Private IPs to forward (CIDR notation, blank separated)
+forward_private_ips="{{ fw_forward_private_ips_v6 }}"
+
+
+# -------------
+# --- Access control (source-based)
+# --- Note: IPv6 uses comma as field separator (not colon)
+# -------------
+
+# restrict_local_service_to_net="ext-net,local-address,port,protocol"
+restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v6 }}"
+
+# restrict_local_net_to_net="<src-ext-net>,<dst-local-net>"
+restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v6 }}"
+
+# allow_ext_service="<ext-ip>,<ext_port>,<protocol>"
+allow_ext_service="{{ fw_allow_ext_service_v6 }}"
+
+# allow_ext_net="<ext-ip/net>"  (blank separated)
+allow_ext_net="{{ fw_allow_ext_net_v6 }}"
+
+# allow_local_service="<port>,<protocol>"  (blank separated)
+allow_local_service="{{ fw_allow_local_service_v6 }}"
+
+# allow_local_service_from_networks="<ext-net>,<local-port>,<protocol>"
+allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v6 }}"
+
+
+# -------------
+# --- Services: VPN / WireGuard
+# -------------
+
+vpn_server_ips="{{ fw_vpn_server_ips }}"
+forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
+vpn_ports="{{ fw_vpn_ports }}"
+
+wireguard_server_ips="{{ fw_wireguard_server_ips }}"
+forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
+wireguard_server_ports="{{ fw_wireguard_server_ports }}"
+wireguard_out_ports="{{ fw_wireguard_out_ports }}"
+
+
+# -------------
+# --- Services: NTP
+# -------------
+
+local_ntp_service={{ fw_local_ntp_service | lower }}
+ntp_port="{{ fw_ntp_port }}"
+ntp_allowed_net="{{ fw_ntp_allowed_net }}"
+
+
+# -------------
+# --- Services: DNS
+# -------------
+
+dns_server_ips="{{ fw_dns_server_ips }}"
+forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
+
+local_resolver_service={{ fw_local_resolver_service | lower }}
+resolver_port="{{ fw_resolver_port }}"
+# resolver_allowed_networks="2001:678:a40:3000::/64"
+resolver_allowed_networks="{{ fw_resolver_allowed_networks_v6 }}"
+
+
+# -------------
+# --- Services: SSH
+# -------------
+
+ssh_server_ips="{{ fw_ssh_server_ips }}"
+forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
+ssh_ports="{{ fw_ssh_ports }}"
+
+
+# -------------
+# --- Services: HTTP(S)
+# -------------
+
+http_server_ips="{{ fw_http_server_ips }}"
+forward_http_server_ips="{{ fw_forward_http_server_ips }}"
+http_ports="{{ fw_http_ports }}"
+
+log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
+cgi_script_users="{{ fw_cgi_script_users }}"
+
+
+# -------------
+# --- Services: Mattermost
+# -------------
+
+mm_server_ips="{{ fw_mm_server_ips }}"
+forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
+mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
+mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
+
+
+# -------------
+# --- Services: Mail (SMTP / IMAP / POP)
+# -------------
+
+smtpd_ips="{{ fw_smtpd_ips }}"
+forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
+smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
+smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
+
+mail_server_ips="{{ fw_mail_server_ips }}"
+forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
+mail_user_ports="{{ fw_mail_user_ports }}"
+
+mail_client_ips="{{ fw_mail_client_ips }}"
+forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
+
+dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
+dovecot_auth_port="{{ fw_dovecot_auth_port }}"
+# dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7"
+dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v6 }}"
+
+
+# -------------
+# --- Services: FTP
+# -------------
+
+ftp_server_ips="{{ fw_ftp_server_ips }}"
+forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
+ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
+
+
+# -------------
+# --- Services: XMPP (Jabber / Prosody)
+# -------------
+
+xmpp_server_ips="{{ fw_xmpp_server_ips }}"
+forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
+xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
+xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
+# xmmp_remote_out_services="2a01:4f8:221:3b4e::247,44444"
+xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v6 }}"
+
+
+# -------------
+# --- Services: Mumble
+# -------------
+
+mumble_server_ips="{{ fw_mumble_server_ips }}"
+forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
+mumble_ports="{{ fw_mumble_ports }}"
+
+
+# -------------
+# --- Services: Jitsi / Jibri
+# -------------
+
+jitsi_server_ips="{{ fw_jitsi_server_ips }}"
+forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
+jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
+jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
+jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
+jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
+jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
+jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
+jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
+jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
+jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
+jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
+
+jibri_server_ips="{{ fw_jibri_server_ips }}"
+forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
+jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
+jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
+
+
+# -------------
+# --- Services: TURN / STUN (Nextcloud Talk)
+# -------------
+
+nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
+forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
+nc_turn_ports="{{ fw_nc_turn_ports }}"
+nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
+
+
+# -------------
+# --- Services: TFTP (not yet implemented)
+# -------------
+
+tftp_server_ips="{{ fw_tftp_server_ips }}"
+
+
+# -------------
+# --- Services: Prometheus
+# -------------
+
+prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
+prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
+
+prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
+prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
+prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
+
+
+# -------------
+# --- Services: Munin
+# -------------
+
+munin_server_ips="{{ fw_munin_server_ips }}"
+forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
+munin_remote_port="{{ fw_munin_remote_port }}"
+
+munin_remote_ip="{{ munin_remote_ipv6 }}"
+munin_local_port="{{ fw_munin_local_port }}"
+
+
+# -------------
+# --- Services: Xymon (not yet implemented)
+# -------------
+
+xymon_server_ips="{{ fw_xymon_server_ips }}"
+local_xymon_client={{ fw_local_xymon_client | lower }}
+xymon_port="{{ fw_xymon_port }}"
+
+
+# -------------
+# --- Protocols out: Rsync
+# -------------
+
+rsync_out_ips="{{ fw_rsync_out_ips }}"
+forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
+rsync_ports="{{ fw_rsync_ports }}"
+
+
+# -------------
+# --- Special ports (OUT)
+# -------------
+
+tcp_out_ports="{{ fw_tcp_out_ports }}"
+forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
+udp_out_ports="{{ fw_udp_out_ports }}"
+forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
+
+
+# =============
+# --- Portforwarding (IPv6)
+# --- Format: "<device-in>,<src-ip>,<port-in>,<ip-to-forward>,<port-out>"
+# =============
+
+portforward_tcp="{{ fw_portforward_tcp_v6 }}"
+portforward_udp="{{ fw_portforward_udp_v6 }}"
+
+
+# -------------
+# --- Blocked IPs / Ports
+# -------------
+
+blocked_ips="{{ fw_blocked_ips }}"
+block_tcp_ports="{{ fw_block_tcp_ports }}"
+block_udp_ports="{{ fw_block_udp_ports }}"
+
+
+# -------------
+# --- Special / Counters
+# -------------
+
+create_traffic_counter={{ fw_create_traffic_counter | lower }}
+create_iperf_rules={{ fw_create_iperf_rules | lower }}
+
+
+# -------------
+# --- Protection
+# -------------
+
+protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
+protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
+protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
+
+
+# -------------
+# --- Connection limits
+# -------------
+
+limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
+per_IP_connection_limit={{ fw_per_IP_connection_limit }}
+
+limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
+limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
+
+
+# -------------
+# --- Kernel parameters (IPv6)
+# -------------
+
+kernel_forward_between_interfaces={{ fw_kernel_forward_between_interfaces | lower }}
+kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
+kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}