--- # --- # ipt-firewall role defaults # Override per host in host_vars//ipt_firewall.yml # --- # --- # Config management mode. # false (default): config files are only deployed when absent (safe for unmanaged hosts). # true: Ansible is authoritative — config is always written from templates and # the firewall is restarted on any change. Set this after migrating a host. # --- fw_manage_config: false # --- # Network interfaces and addresses (set per host in host_vars) # --- fw_ext_interfaces: [] # e.g. ["eth0"] fw_ext_ips_v4: [] # e.g. ["83.223.86.98"] fw_ext_ips_v6: [] # e.g. ["2a01:30:0:13:211:84ff:feb7:7f9c"] fw_local_interfaces: [] fw_local_ips_v4: [] fw_local_ips_v6: [] fw_vpn_ifs: "tun+" fw_wg_ifs: "wg+" fw_lxc_guest_ips_v4: [] fw_lxc_guest_ips_v6: [] fw_nat_devices: "" # --- # Munin monitoring (often set in group_vars or role defaults) # --- munin_remote_ipv4: "" munin_remote_ipv6: "" # --- # Bridged / LXC traffic # --- fw_do_not_firewall_bridged_traffic: false fw_do_not_firewall_lx_guest_systems: false # --- # Drop policies # --- fw_drop_icmp: false fw_drop_mndp: true fw_drop_mdns: true # --- # Outgoing / interface policy # --- fw_allow_all_outgoing_traffic: false fw_blocked_ifs: "" fw_unprotected_ifs: "" # --- # Forwarding (protocol-specific addresses) # --- fw_forward_private_ips_v4: "" fw_forward_private_ips_v6: "" # --- # Access control (protocol-specific: IPv4 uses ':', IPv6 uses ',') # --- fw_restrict_local_service_to_net_v4: "" fw_restrict_local_service_to_net_v6: "" fw_restrict_local_net_to_net_v4: "" fw_restrict_local_net_to_net_v6: "" fw_allow_ext_service_v4: "" fw_allow_ext_service_v6: "" fw_allow_ext_net_v4: "" fw_allow_ext_net_v6: "" fw_allow_local_service_v4: "" fw_allow_local_service_v6: "" fw_allow_local_service_from_networks_v4: "" fw_allow_local_service_from_networks_v6: "" # --- # Services: VPN / WireGuard # --- fw_vpn_server_ips: "" fw_forward_vpn_server_ips: "" fw_vpn_ports: "$standard_vpn_port" fw_wireguard_server_ips: "" fw_forward_wireguard_server_ips: "" fw_wireguard_server_ports: "$standard_wireguard_port" fw_wireguard_out_ports: "$standard_wireguard_port" # --- # Services: NTP # --- fw_local_ntp_service: false fw_ntp_port: "$standard_ntp_port" fw_ntp_allowed_net: "" # --- # Services: DHCP (IPv4 only) # --- fw_dhcp_server_ifs: "" fw_dhcp_client_ifs: "" # --- # Services: DNS # --- fw_dns_server_ips: "" fw_forward_dns_server_ips: "" fw_local_resolver_service: false fw_resolver_port: "$standard_dns_port" fw_resolver_allowed_networks_v4: "" fw_resolver_allowed_networks_v6: "" # --- # Services: SSH # Uses $ext_ips by default so SSH is always reachable via all external IPs. # Override in host_vars to restrict to specific IPs. # --- fw_ssh_server_ips: "$ext_ips" fw_forward_ssh_server_ips: "" fw_ssh_ports: "$standard_ssh_port" # --- # Services: HTTP(S) # --- fw_http_server_ips: "" fw_forward_http_server_ips: "" fw_http_ports: "$standard_http_ports" fw_log_cgi_traffic_out: false fw_cgi_script_users: "" # --- # Services: Mattermost # --- fw_mm_server_ips: "" fw_forward_mm_server_ips: "" fw_mm_udp_ports_in: "$stansard_mattermost_udp_ports_in" fw_mm_udp_ports_out: "$stansard_mattermost_udp_ports_out" # --- # Services: Mail # --- fw_smtpd_ips: "" fw_forward_smtpd_ips: "" fw_smtpd_additional_listen_ports: "" fw_smtpd_additional_outgoing_ports: "" fw_mail_server_ips: "" fw_forward_mail_server_ips: "" fw_mail_user_ports: "$standard_mailuser_ports" fw_mail_client_ips: "" fw_forward_mail_client_ips: "" fw_dovecot_auth_service: false fw_dovecot_auth_port: "$dovecot_external_auth_port" fw_dovecot_auth_allowed_networks_v4: "" fw_dovecot_auth_allowed_networks_v6: "" # --- # Services: FTP # --- fw_ftp_server_ips: "" fw_forward_ftp_server_ips: "" fw_ftp_passive_port_range: "50000:50400" # --- # Services: XMPP (Jabber / Prosody) # --- fw_xmpp_server_ips: "" fw_forward_xmpp_server_ips: "" fw_xmmp_tcp_in_ports: "5222 5223 5269" fw_xmmp_tcp_out_ports: "5269" fw_xmmp_remote_out_services_v4: "" fw_xmmp_remote_out_services_v6: "" # --- # Services: Mumble # --- fw_mumble_server_ips: "" fw_forward_mumble_server_ips: "" fw_mumble_ports: "$standard_mumble_port" # --- # Services: Jitsi / Jibri # --- fw_jitsi_server_ips: "" fw_forward_jitsi_server_ips: "" fw_jitsi_tcp_ports: "$standard_jitsi_tcp_ports" fw_jitsi_udp_port_range: "$standard_jitsi_udp_port_range" fw_jitsi_tcp_ports_out: "$standard_turn_service_ports,4443,4444,4445,4446" fw_jitsi_udp_ports_out: "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" fw_jitsi_dovecot_auth: false fw_jitsi_dovecot_host: "" fw_jitsi_dovecot_port: "$default_jitsi_dovecout_auth_port" fw_jitsi_jibri_remote_auth: false fw_jitsi_jibri_remote_ips: "" fw_jitsi_jibri_remote_auth_port: "$default_jibri_out_port" fw_jibri_server_ips: "" fw_forward_jibri_server_ips: "" fw_jibri_remote_jitsi_server: "" fw_jibri_remote_auth_port: "$default_jibri_out_port" # --- # Services: TURN / STUN (Nextcloud Talk) # --- fw_nc_turn_server_ips: "" fw_forward_nc_turn_server_ips: "" fw_nc_turn_ports: "$standard_turn_service_ports" fw_nc_turn_udp_ports: "$standard_turn_service_udp_ports" # --- # Services: TFTP # --- fw_tftp_server_ips: "" # --- # Services: Prometheus # --- fw_prometheus_local_server_ips: "" fw_prometheus_remote_client_ports: "$standard_prometheus_ports" fw_prometheus_local_client_ips: "" fw_prometheus_local_client_ports: "$standard_prometheus_ports" fw_prometheus_remote_server_ips: "" # --- # Services: Munin # --- fw_munin_server_ips: "" fw_forward_munin_server_ips: "" fw_munin_remote_port: "$standard_munin_port" fw_munin_local_port: "4949" # --- # Services: Xymon # --- fw_xymon_server_ips: "" fw_local_xymon_client: false fw_xymon_port: "$standard_xymon_port" # --- # Protocols out: Rsync # --- fw_rsync_out_ips: "" fw_forward_rsync_out_ips: "" fw_rsync_ports: "873" # --- # Special ports (OUT) # --- fw_tcp_out_ports: "" fw_forward_tcp_out_ports: "" fw_udp_out_ports: "" fw_forward_udp_out_ports: "" # --- # Portforwarding (protocol-specific formats) # IPv4: "::::" # IPv6: ",,,," # --- fw_portforward_tcp_v4: "" fw_portforward_udp_v4: "" fw_portforward_tcp_v6: "" fw_portforward_udp_v6: "" # --- # Blocked IPs / ports # --- fw_blocked_ips: "" fw_block_tcp_ports: "111 113 135 137:139 445" fw_block_udp_ports: "111 137:139" # --- # Special / counters # --- fw_create_traffic_counter: true fw_create_iperf_rules: true # --- # Protection # --- fw_protection_against_syn_flooding: true fw_protection_against_port_scanning: true fw_protection_against_ssh_brute_force_attacks: true # --- # Connection limits # --- fw_limit_connections_per_source_IP: true fw_per_IP_connection_limit: "$default_per_IP_connection_limit" fw_limit_new_tcp_connections_per_seconds_per_source_IP: true fw_limit_new_tcp_connections_per_seconds_ports: "" # --- # Kernel parameters — IPv4 # --- fw_kernel_activate_forwarding: false fw_kernel_support_dynaddr: false fw_dynaddr_flag: "5" fw_kernel_reduce_timeouts: true fw_kernel_tcp_syncookies: true fw_kernel_protect_against_icmp_bogus_messages: true fw_kernel_ignore_broadcast_ping: true fw_kernel_deactivate_source_route: true fw_kernel_dont_accept_redirects: true fw_kernel_activate_rp_filter: true fw_kernel_log_martians: false # --- # Kernel parameters — IPv6 # --- fw_kernel_forward_between_interfaces: false