Add ipt-server role with firewall configuration and management

- Created handlers for reloading systemd and restarting firewall services.
- Implemented tasks to ensure the existence of configuration directories and files.
- Deployed host-specific and shared configuration files using templates.
- Added scripts for managing IPv4 and IPv6 firewalls.
- Configured systemd service units for ipt-firewall and ip6t-firewall.
- Enabled and started firewall services on system boot.

roles/ipt-server/templates/etc/ipt-firewall/interfaces_ipv4.conf.j2

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# {{ ansible_managed }}
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - External interface(s)
+#
+ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
+ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
+ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
+
+ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
+
+
+# - VPN Interfaces
+# -    (comma separated list)
+vpn_ifs="{{ fw_vpn_ifs }}"
+
+
+# - Wireguard Interfaces
+# -    (comma separated list)
+wg_ifs="{{ fw_wg_ifs }}"
+
+
+# - Local Interfaces
+local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
+local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
+local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
+
+local_ifs="{{ fw_local_interfaces | join(' ') }}"
+
+
+# -------------
+# --- IP-Addresses
+# -------------
+
+# - Extern IP Addresses on this Host
+#
+ext_1_ip="{{ fw_ext_ips_v4[0] if fw_ext_ips_v4 | length >= 1 else '' }}"
+ext_2_ip="{{ fw_ext_ips_v4[1] if fw_ext_ips_v4 | length >= 2 else '' }}"
+ext_3_ip="{{ fw_ext_ips_v4[2] if fw_ext_ips_v4 | length >= 3 else '' }}"
+
+ext_ips="{{ fw_ext_ips_v4 | join(' ') }}"
+
+local_1_ip="{{ fw_local_ips_v4[0] if fw_local_ips_v4 | length >= 1 else '' }}"
+local_2_ip="{{ fw_local_ips_v4[1] if fw_local_ips_v4 | length >= 2 else '' }}"
+local_3_ip="{{ fw_local_ips_v4[2] if fw_local_ips_v4 | length >= 3 else '' }}"
+
+local_ips="{{ fw_local_ips_v4 | join(' ') }}"
+
+
+# -------------
+# --- IP-Addresses LXC Guest Systems
+# -------------
+
+lxc_guest_1_ip="{{ fw_lxc_guest_ips_v4[0] if fw_lxc_guest_ips_v4 | length >= 1 else '' }}"
+lxc_guest_2_ip="{{ fw_lxc_guest_ips_v4[1] if fw_lxc_guest_ips_v4 | length >= 2 else '' }}"
+lxc_guest_3_ip="{{ fw_lxc_guest_ips_v4[2] if fw_lxc_guest_ips_v4 | length >= 3 else '' }}"
+lxc_guest_4_ip="{{ fw_lxc_guest_ips_v4[3] if fw_lxc_guest_ips_v4 | length >= 4 else '' }}"
+lxc_guest_5_ip="{{ fw_lxc_guest_ips_v4[4] if fw_lxc_guest_ips_v4 | length >= 5 else '' }}"
+lxc_guest_6_ip="{{ fw_lxc_guest_ips_v4[5] if fw_lxc_guest_ips_v4 | length >= 6 else '' }}"
+lxc_guest_7_ip="{{ fw_lxc_guest_ips_v4[6] if fw_lxc_guest_ips_v4 | length >= 7 else '' }}"
+
+lxc_guest_ips="{{ fw_lxc_guest_ips_v4 | join(' ') }}"
+
+
+# - Devices given in list "nat_devices" will be natted
+# -
+# - Blank separated list
+# -
+nat_devices="{{ fw_nat_devices }}"

roles/ipt-server/templates/etc/ipt-firewall/interfaces_ipv6.conf.j2

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# {{ ansible_managed }}
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - External interface(s)
+#
+ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
+ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
+ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
+
+ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
+
+
+# - VPN Interfaces
+# -    (comma separated list)
+vpn_ifs="{{ fw_vpn_ifs }}"
+
+
+# - Wireguard Interfaces
+# -    (comma separated list)
+wg_ifs="{{ fw_wg_ifs }}"
+
+
+# - Local Interfaces
+local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
+local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
+local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
+
+local_ifs="{{ fw_local_interfaces | join(' ') }}"
+
+
+# -------------
+# --- IP-Addresses
+# -------------
+
+# - Extern IP Addresses on this Host
+#
+ext_1_ip="{{ fw_ext_ips_v6[0] if fw_ext_ips_v6 | length >= 1 else '' }}"
+ext_2_ip="{{ fw_ext_ips_v6[1] if fw_ext_ips_v6 | length >= 2 else '' }}"
+ext_3_ip="{{ fw_ext_ips_v6[2] if fw_ext_ips_v6 | length >= 3 else '' }}"
+
+ext_ips="{{ fw_ext_ips_v6 | join(' ') }}"
+
+local_1_ip="{{ fw_local_ips_v6[0] if fw_local_ips_v6 | length >= 1 else '' }}"
+local_2_ip="{{ fw_local_ips_v6[1] if fw_local_ips_v6 | length >= 2 else '' }}"
+local_3_ip="{{ fw_local_ips_v6[2] if fw_local_ips_v6 | length >= 3 else '' }}"
+
+local_ips="{{ fw_local_ips_v6 | join(' ') }}"
+
+
+# -------------
+# --- IP-Addresses LXC Guest Systems
+# -------------
+
+lxc_guest_1_ip="{{ fw_lxc_guest_ips_v6[0] if fw_lxc_guest_ips_v6 | length >= 1 else '' }}"
+lxc_guest_2_ip="{{ fw_lxc_guest_ips_v6[1] if fw_lxc_guest_ips_v6 | length >= 2 else '' }}"
+lxc_guest_3_ip="{{ fw_lxc_guest_ips_v6[2] if fw_lxc_guest_ips_v6 | length >= 3 else '' }}"
+lxc_guest_4_ip="{{ fw_lxc_guest_ips_v6[3] if fw_lxc_guest_ips_v6 | length >= 4 else '' }}"
+lxc_guest_5_ip="{{ fw_lxc_guest_ips_v6[4] if fw_lxc_guest_ips_v6 | length >= 5 else '' }}"
+lxc_guest_6_ip="{{ fw_lxc_guest_ips_v6[5] if fw_lxc_guest_ips_v6 | length >= 6 else '' }}"
+lxc_guest_7_ip="{{ fw_lxc_guest_ips_v6[6] if fw_lxc_guest_ips_v6 | length >= 7 else '' }}"
+
+lxc_guest_ips="{{ fw_lxc_guest_ips_v6 | join(' ') }}"

roles/ipt-server/templates/etc/ipt-firewall/main_ipv4.conf.j2

@@ -0,0 +1,357 @@
+#!/usr/bin/env bash
+# {{ ansible_managed }}
+
+
+## ----------------------------------------------------------------
+## --- Main Configurations IPv4 Firewall
+## ----------------------------------------------------------------
+
+
+# -------------
+# --- Bridged / LXC traffic
+# -------------
+
+do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
+do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
+
+
+# -------------
+# --- Drop ICMP / MNDP / mDNS
+# -------------
+
+drop_icmp={{ fw_drop_icmp | lower }}
+drop_mndp={{ fw_drop_mndp | lower }}
+drop_mdns={{ fw_drop_mdns | lower }}
+
+
+# -------------
+# --- Outgoing traffic
+# -------------
+
+allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
+
+
+# -------------
+# --- Interface policy
+# -------------
+
+blocked_ifs="{{ fw_blocked_ifs }}"
+unprotected_ifs="{{ fw_unprotected_ifs }}"
+
+
+# -------------
+# --- Forwarding / Routing
+# -------------
+
+# Private IPs to forward (CIDR notation, blank separated)
+forward_private_ips="{{ fw_forward_private_ips_v4 }}"
+
+
+# -------------
+# --- Access control (source-based)
+# -------------
+
+# restrict_local_service_to_net="ext-net:local-address:port:protocol"
+restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v4 }}"
+
+# restrict_local_net_to_net="<src-ext-net>:<dst-local-net>"
+restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v4 }}"
+
+# allow_ext_service="<ext-ip>:<ext_port>:<protocol>"
+allow_ext_service="{{ fw_allow_ext_service_v4 }}"
+
+# allow_ext_net="<ext-ip/net>"  (blank separated)
+allow_ext_net="{{ fw_allow_ext_net_v4 }}"
+
+# allow_local_service="<port>:<protocol>"  (blank separated)
+allow_local_service="{{ fw_allow_local_service_v4 }}"
+
+# allow_local_service_from_networks="<ext-net>:<local-port>:<protocol>"
+allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v4 }}"
+
+
+# -------------
+# --- Services: VPN / WireGuard
+# -------------
+
+vpn_server_ips="{{ fw_vpn_server_ips }}"
+forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
+vpn_ports="{{ fw_vpn_ports }}"
+
+wireguard_server_ips="{{ fw_wireguard_server_ips }}"
+forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
+wireguard_server_ports="{{ fw_wireguard_server_ports }}"
+wireguard_out_ports="{{ fw_wireguard_out_ports }}"
+
+
+# -------------
+# --- Services: NTP
+# -------------
+
+local_ntp_service={{ fw_local_ntp_service | lower }}
+ntp_port="{{ fw_ntp_port }}"
+ntp_allowed_net="{{ fw_ntp_allowed_net }}"
+
+
+# -------------
+# --- Services: DHCP (IPv4 only)
+# -------------
+
+# Comma separated list of interfaces providing DHCP
+dhcp_server_ifs="{{ fw_dhcp_server_ifs }}"
+
+# Comma separated list of interfaces acting as DHCP clients
+dhcp_client_ifs="{{ fw_dhcp_client_ifs }}"
+
+
+# -------------
+# --- Services: DNS
+# -------------
+
+dns_server_ips="{{ fw_dns_server_ips }}"
+forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
+
+local_resolver_service={{ fw_local_resolver_service | lower }}
+resolver_port="{{ fw_resolver_port }}"
+# resolver_allowed_networks="192.68.11.64/27 194.150.169.139"
+resolver_allowed_networks="{{ fw_resolver_allowed_networks_v4 }}"
+
+
+# -------------
+# --- Services: SSH
+# -------------
+
+ssh_server_ips="{{ fw_ssh_server_ips }}"
+forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
+ssh_ports="{{ fw_ssh_ports }}"
+
+
+# -------------
+# --- Services: HTTP(S)
+# -------------
+
+http_server_ips="{{ fw_http_server_ips }}"
+forward_http_server_ips="{{ fw_forward_http_server_ips }}"
+http_ports="{{ fw_http_ports }}"
+
+log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
+cgi_script_users="{{ fw_cgi_script_users }}"
+
+
+# -------------
+# --- Services: Mattermost
+# -------------
+
+mm_server_ips="{{ fw_mm_server_ips }}"
+forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
+mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
+mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
+
+
+# -------------
+# --- Services: Mail (SMTP / IMAP / POP)
+# -------------
+
+smtpd_ips="{{ fw_smtpd_ips }}"
+forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
+smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
+smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
+
+mail_server_ips="{{ fw_mail_server_ips }}"
+forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
+mail_user_ports="{{ fw_mail_user_ports }}"
+
+mail_client_ips="{{ fw_mail_client_ips }}"
+forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
+
+dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
+dovecot_auth_port="{{ fw_dovecot_auth_port }}"
+# dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139"
+dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v4 }}"
+
+
+# -------------
+# --- Services: FTP
+# -------------
+
+ftp_server_ips="{{ fw_ftp_server_ips }}"
+forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
+ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
+
+
+# -------------
+# --- Services: XMPP (Jabber / Prosody)
+# -------------
+
+xmpp_server_ips="{{ fw_xmpp_server_ips }}"
+forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
+xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
+xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
+# xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444"
+xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v4 }}"
+
+
+# -------------
+# --- Services: Mumble
+# -------------
+
+mumble_server_ips="{{ fw_mumble_server_ips }}"
+forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
+mumble_ports="{{ fw_mumble_ports }}"
+
+
+# -------------
+# --- Services: Jitsi / Jibri
+# -------------
+
+jitsi_server_ips="{{ fw_jitsi_server_ips }}"
+forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
+jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
+jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
+jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
+jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
+jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
+jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
+jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
+jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
+jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
+jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
+
+jibri_server_ips="{{ fw_jibri_server_ips }}"
+forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
+jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
+jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
+
+
+# -------------
+# --- Services: TURN / STUN (Nextcloud Talk)
+# -------------
+
+nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
+forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
+nc_turn_ports="{{ fw_nc_turn_ports }}"
+nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
+
+
+# -------------
+# --- Services: TFTP (not yet implemented)
+# -------------
+
+tftp_server_ips="{{ fw_tftp_server_ips }}"
+
+
+# -------------
+# --- Services: Prometheus
+# -------------
+
+prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
+prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
+
+prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
+prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
+prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
+
+
+# -------------
+# --- Services: Munin
+# -------------
+
+munin_server_ips="{{ fw_munin_server_ips }}"
+forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
+munin_remote_port="{{ fw_munin_remote_port }}"
+
+munin_remote_ip="{{ munin_remote_ipv4 }}"
+munin_local_port="{{ fw_munin_local_port }}"
+
+
+# -------------
+# --- Services: Xymon (not yet implemented)
+# -------------
+
+xymon_server_ips="{{ fw_xymon_server_ips }}"
+local_xymon_client={{ fw_local_xymon_client | lower }}
+xymon_port="{{ fw_xymon_port }}"
+
+
+# -------------
+# --- Protocols out: Rsync
+# -------------
+
+rsync_out_ips="{{ fw_rsync_out_ips }}"
+forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
+rsync_ports="{{ fw_rsync_ports }}"
+
+
+# -------------
+# --- Special ports (OUT)
+# -------------
+
+tcp_out_ports="{{ fw_tcp_out_ports }}"
+forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
+udp_out_ports="{{ fw_udp_out_ports }}"
+forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
+
+
+# =============
+# --- Portforwarding (IPv4)
+# --- Format: "<device-in>:<src-ip>:<port-in>:<ip-to-forward>:<port-out>"
+# =============
+
+portforward_tcp="{{ fw_portforward_tcp_v4 }}"
+portforward_udp="{{ fw_portforward_udp_v4 }}"
+
+
+# -------------
+# --- Blocked IPs / Ports
+# -------------
+
+blocked_ips="{{ fw_blocked_ips }}"
+block_tcp_ports="{{ fw_block_tcp_ports }}"
+block_udp_ports="{{ fw_block_udp_ports }}"
+
+
+# -------------
+# --- Special / Counters
+# -------------
+
+create_traffic_counter={{ fw_create_traffic_counter | lower }}
+create_iperf_rules={{ fw_create_iperf_rules | lower }}
+
+
+# -------------
+# --- Protection
+# -------------
+
+protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
+protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
+protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
+
+
+# -------------
+# --- Connection limits
+# -------------
+
+limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
+per_IP_connection_limit={{ fw_per_IP_connection_limit }}
+
+limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
+limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
+
+
+# -------------
+# --- Kernel parameters (IPv4)
+# -------------
+
+kernel_activate_forwarding={{ fw_kernel_activate_forwarding | lower }}
+
+kernel_support_dynaddr={{ fw_kernel_support_dynaddr | lower }}
+dynaddr_flag="{{ fw_dynaddr_flag }}"
+
+kernel_reduce_timeouts={{ fw_kernel_reduce_timeouts | lower }}
+kernel_tcp_syncookies={{ fw_kernel_tcp_syncookies | lower }}
+kernel_protect_against_icmp_bogus_messages={{ fw_kernel_protect_against_icmp_bogus_messages | lower }}
+kernel_ignore_broadcast_ping={{ fw_kernel_ignore_broadcast_ping | lower }}
+kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
+kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}
+kernel_activate_rp_filter={{ fw_kernel_activate_rp_filter | lower }}
+kernel_log_martians={{ fw_kernel_log_martians | lower }}

roles/ipt-server/templates/etc/ipt-firewall/main_ipv6.conf.j2

@@ -0,0 +1,337 @@
+#!/usr/bin/env bash
+# {{ ansible_managed }}
+
+
+## ----------------------------------------------------------------
+## --- Main Configurations IPv6 Firewall
+## ----------------------------------------------------------------
+
+
+# -------------
+# --- Bridged / LXC traffic
+# -------------
+
+do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
+do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
+
+
+# -------------
+# --- Drop ICMP / MNDP / mDNS
+# -------------
+
+drop_icmp={{ fw_drop_icmp | lower }}
+drop_mndp={{ fw_drop_mndp | lower }}
+drop_mdns={{ fw_drop_mdns | lower }}
+
+
+# -------------
+# --- Outgoing traffic
+# -------------
+
+allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
+
+
+# -------------
+# --- Interface policy
+# -------------
+
+blocked_ifs="{{ fw_blocked_ifs }}"
+unprotected_ifs="{{ fw_unprotected_ifs }}"
+
+
+# -------------
+# --- Forwarding / Routing
+# -------------
+
+# Private IPs to forward (CIDR notation, blank separated)
+forward_private_ips="{{ fw_forward_private_ips_v6 }}"
+
+
+# -------------
+# --- Access control (source-based)
+# --- Note: IPv6 uses comma as field separator (not colon)
+# -------------
+
+# restrict_local_service_to_net="ext-net,local-address,port,protocol"
+restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v6 }}"
+
+# restrict_local_net_to_net="<src-ext-net>,<dst-local-net>"
+restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v6 }}"
+
+# allow_ext_service="<ext-ip>,<ext_port>,<protocol>"
+allow_ext_service="{{ fw_allow_ext_service_v6 }}"
+
+# allow_ext_net="<ext-ip/net>"  (blank separated)
+allow_ext_net="{{ fw_allow_ext_net_v6 }}"
+
+# allow_local_service="<port>,<protocol>"  (blank separated)
+allow_local_service="{{ fw_allow_local_service_v6 }}"
+
+# allow_local_service_from_networks="<ext-net>,<local-port>,<protocol>"
+allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v6 }}"
+
+
+# -------------
+# --- Services: VPN / WireGuard
+# -------------
+
+vpn_server_ips="{{ fw_vpn_server_ips }}"
+forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
+vpn_ports="{{ fw_vpn_ports }}"
+
+wireguard_server_ips="{{ fw_wireguard_server_ips }}"
+forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
+wireguard_server_ports="{{ fw_wireguard_server_ports }}"
+wireguard_out_ports="{{ fw_wireguard_out_ports }}"
+
+
+# -------------
+# --- Services: NTP
+# -------------
+
+local_ntp_service={{ fw_local_ntp_service | lower }}
+ntp_port="{{ fw_ntp_port }}"
+ntp_allowed_net="{{ fw_ntp_allowed_net }}"
+
+
+# -------------
+# --- Services: DNS
+# -------------
+
+dns_server_ips="{{ fw_dns_server_ips }}"
+forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
+
+local_resolver_service={{ fw_local_resolver_service | lower }}
+resolver_port="{{ fw_resolver_port }}"
+# resolver_allowed_networks="2001:678:a40:3000::/64"
+resolver_allowed_networks="{{ fw_resolver_allowed_networks_v6 }}"
+
+
+# -------------
+# --- Services: SSH
+# -------------
+
+ssh_server_ips="{{ fw_ssh_server_ips }}"
+forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
+ssh_ports="{{ fw_ssh_ports }}"
+
+
+# -------------
+# --- Services: HTTP(S)
+# -------------
+
+http_server_ips="{{ fw_http_server_ips }}"
+forward_http_server_ips="{{ fw_forward_http_server_ips }}"
+http_ports="{{ fw_http_ports }}"
+
+log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
+cgi_script_users="{{ fw_cgi_script_users }}"
+
+
+# -------------
+# --- Services: Mattermost
+# -------------
+
+mm_server_ips="{{ fw_mm_server_ips }}"
+forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
+mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
+mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
+
+
+# -------------
+# --- Services: Mail (SMTP / IMAP / POP)
+# -------------
+
+smtpd_ips="{{ fw_smtpd_ips }}"
+forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
+smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
+smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
+
+mail_server_ips="{{ fw_mail_server_ips }}"
+forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
+mail_user_ports="{{ fw_mail_user_ports }}"
+
+mail_client_ips="{{ fw_mail_client_ips }}"
+forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
+
+dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
+dovecot_auth_port="{{ fw_dovecot_auth_port }}"
+# dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7"
+dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v6 }}"
+
+
+# -------------
+# --- Services: FTP
+# -------------
+
+ftp_server_ips="{{ fw_ftp_server_ips }}"
+forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
+ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
+
+
+# -------------
+# --- Services: XMPP (Jabber / Prosody)
+# -------------
+
+xmpp_server_ips="{{ fw_xmpp_server_ips }}"
+forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
+xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
+xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
+# xmmp_remote_out_services="2a01:4f8:221:3b4e::247,44444"
+xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v6 }}"
+
+
+# -------------
+# --- Services: Mumble
+# -------------
+
+mumble_server_ips="{{ fw_mumble_server_ips }}"
+forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
+mumble_ports="{{ fw_mumble_ports }}"
+
+
+# -------------
+# --- Services: Jitsi / Jibri
+# -------------
+
+jitsi_server_ips="{{ fw_jitsi_server_ips }}"
+forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
+jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
+jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
+jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
+jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
+jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
+jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
+jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
+jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
+jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
+jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
+
+jibri_server_ips="{{ fw_jibri_server_ips }}"
+forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
+jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
+jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
+
+
+# -------------
+# --- Services: TURN / STUN (Nextcloud Talk)
+# -------------
+
+nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
+forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
+nc_turn_ports="{{ fw_nc_turn_ports }}"
+nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
+
+
+# -------------
+# --- Services: TFTP (not yet implemented)
+# -------------
+
+tftp_server_ips="{{ fw_tftp_server_ips }}"
+
+
+# -------------
+# --- Services: Prometheus
+# -------------
+
+prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
+prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
+
+prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
+prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
+prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
+
+
+# -------------
+# --- Services: Munin
+# -------------
+
+munin_server_ips="{{ fw_munin_server_ips }}"
+forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
+munin_remote_port="{{ fw_munin_remote_port }}"
+
+munin_remote_ip="{{ munin_remote_ipv6 }}"
+munin_local_port="{{ fw_munin_local_port }}"
+
+
+# -------------
+# --- Services: Xymon (not yet implemented)
+# -------------
+
+xymon_server_ips="{{ fw_xymon_server_ips }}"
+local_xymon_client={{ fw_local_xymon_client | lower }}
+xymon_port="{{ fw_xymon_port }}"
+
+
+# -------------
+# --- Protocols out: Rsync
+# -------------
+
+rsync_out_ips="{{ fw_rsync_out_ips }}"
+forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
+rsync_ports="{{ fw_rsync_ports }}"
+
+
+# -------------
+# --- Special ports (OUT)
+# -------------
+
+tcp_out_ports="{{ fw_tcp_out_ports }}"
+forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
+udp_out_ports="{{ fw_udp_out_ports }}"
+forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
+
+
+# =============
+# --- Portforwarding (IPv6)
+# --- Format: "<device-in>,<src-ip>,<port-in>,<ip-to-forward>,<port-out>"
+# =============
+
+portforward_tcp="{{ fw_portforward_tcp_v6 }}"
+portforward_udp="{{ fw_portforward_udp_v6 }}"
+
+
+# -------------
+# --- Blocked IPs / Ports
+# -------------
+
+blocked_ips="{{ fw_blocked_ips }}"
+block_tcp_ports="{{ fw_block_tcp_ports }}"
+block_udp_ports="{{ fw_block_udp_ports }}"
+
+
+# -------------
+# --- Special / Counters
+# -------------
+
+create_traffic_counter={{ fw_create_traffic_counter | lower }}
+create_iperf_rules={{ fw_create_iperf_rules | lower }}
+
+
+# -------------
+# --- Protection
+# -------------
+
+protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
+protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
+protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
+
+
+# -------------
+# --- Connection limits
+# -------------
+
+limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
+per_IP_connection_limit={{ fw_per_IP_connection_limit }}
+
+limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
+limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
+
+
+# -------------
+# --- Kernel parameters (IPv6)
+# -------------
+
+kernel_forward_between_interfaces={{ fw_kernel_forward_between_interfaces | lower }}
+kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
+kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}