#!/usr/bin/env bash # {{ ansible_managed }} ## ---------------------------------------------------------------- ## --- Main Configurations IPv4 Firewall ## ---------------------------------------------------------------- # ------------- # --- Bridged / LXC traffic # ------------- do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }} do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }} # ------------- # --- Drop ICMP / MNDP / mDNS # ------------- drop_icmp={{ fw_drop_icmp | lower }} drop_mndp={{ fw_drop_mndp | lower }} drop_mdns={{ fw_drop_mdns | lower }} # ------------- # --- Outgoing traffic # ------------- allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }} # ------------- # --- Interface policy # ------------- blocked_ifs="{{ fw_blocked_ifs }}" unprotected_ifs="{{ fw_unprotected_ifs }}" # ------------- # --- Forwarding / Routing # ------------- # Private IPs to forward (CIDR notation, blank separated) forward_private_ips="{{ fw_forward_private_ips_v4 }}" # ------------- # --- Access control (source-based) # ------------- # restrict_local_service_to_net="ext-net:local-address:port:protocol" restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v4 }}" # restrict_local_net_to_net=":" restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v4 }}" # allow_ext_service="::" allow_ext_service="{{ fw_allow_ext_service_v4 }}" # allow_ext_net="" (blank separated) allow_ext_net="{{ fw_allow_ext_net_v4 }}" # allow_local_service=":" (blank separated) allow_local_service="{{ fw_allow_local_service_v4 }}" # allow_local_service_from_networks="::" allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v4 }}" # ------------- # --- Services: VPN / WireGuard # ------------- vpn_server_ips="{{ fw_vpn_server_ips }}" forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}" vpn_ports="{{ fw_vpn_ports }}" wireguard_server_ips="{{ fw_wireguard_server_ips }}" forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}" wireguard_server_ports="{{ fw_wireguard_server_ports }}" wireguard_out_ports="{{ fw_wireguard_out_ports }}" # ------------- # --- Services: NTP # ------------- local_ntp_service={{ fw_local_ntp_service | lower }} ntp_port="{{ fw_ntp_port }}" ntp_allowed_net="{{ fw_ntp_allowed_net }}" # ------------- # --- Services: DHCP (IPv4 only) # ------------- # Comma separated list of interfaces providing DHCP dhcp_server_ifs="{{ fw_dhcp_server_ifs }}" # Comma separated list of interfaces acting as DHCP clients dhcp_client_ifs="{{ fw_dhcp_client_ifs }}" # ------------- # --- Services: DNS # ------------- dns_server_ips="{{ fw_dns_server_ips }}" forward_dns_server_ips="{{ fw_forward_dns_server_ips }}" local_resolver_service={{ fw_local_resolver_service | lower }} resolver_port="{{ fw_resolver_port }}" # resolver_allowed_networks="192.68.11.64/27 194.150.169.139" resolver_allowed_networks="{{ fw_resolver_allowed_networks_v4 }}" # ------------- # --- Services: SSH # ------------- ssh_server_ips="{{ fw_ssh_server_ips }}" forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}" ssh_ports="{{ fw_ssh_ports }}" # ------------- # --- Services: HTTP(S) # ------------- http_server_ips="{{ fw_http_server_ips }}" forward_http_server_ips="{{ fw_forward_http_server_ips }}" http_ports="{{ fw_http_ports }}" log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }} cgi_script_users="{{ fw_cgi_script_users }}" # ------------- # --- Services: Mattermost # ------------- mm_server_ips="{{ fw_mm_server_ips }}" forward_mm_server_ips="{{ fw_forward_mm_server_ips }}" mm_udp_ports_in="{{ fw_mm_udp_ports_in }}" mm_udp_ports_out="{{ fw_mm_udp_ports_out }}" # ------------- # --- Services: Mail (SMTP / IMAP / POP) # ------------- smtpd_ips="{{ fw_smtpd_ips }}" forward_smtpd_ips="{{ fw_forward_smtpd_ips }}" smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}" smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}" mail_server_ips="{{ fw_mail_server_ips }}" forward_mail_server_ips="{{ fw_forward_mail_server_ips }}" mail_user_ports="{{ fw_mail_user_ports }}" mail_client_ips="{{ fw_mail_client_ips }}" forward_mail_client_ips="{{ fw_forward_mail_client_ips }}" dovecot_auth_service={{ fw_dovecot_auth_service | lower }} dovecot_auth_port="{{ fw_dovecot_auth_port }}" # dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139" dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v4 }}" # ------------- # --- Services: FTP # ------------- ftp_server_ips="{{ fw_ftp_server_ips }}" forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}" ftp_passive_port_range="{{ fw_ftp_passive_port_range }}" # ------------- # --- Services: XMPP (Jabber / Prosody) # ------------- xmpp_server_ips="{{ fw_xmpp_server_ips }}" forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}" xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}" xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}" # xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444" xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v4 }}" # ------------- # --- Services: Mumble # ------------- mumble_server_ips="{{ fw_mumble_server_ips }}" forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}" mumble_ports="{{ fw_mumble_ports }}" # ------------- # --- Services: Jitsi / Jibri # ------------- jitsi_server_ips="{{ fw_jitsi_server_ips }}" forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}" jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}" jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}" jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}" jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}" jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }} jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}" jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}" jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }} jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}" jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}" jibri_server_ips="{{ fw_jibri_server_ips }}" forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}" jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}" jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}" # ------------- # --- Services: TURN / STUN (Nextcloud Talk) # ------------- nc_turn_server_ips="{{ fw_nc_turn_server_ips }}" forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}" nc_turn_ports="{{ fw_nc_turn_ports }}" nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}" # ------------- # --- Services: TFTP (not yet implemented) # ------------- tftp_server_ips="{{ fw_tftp_server_ips }}" # ------------- # --- Services: Prometheus # ------------- prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}" prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}" prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}" prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}" prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}" # ------------- # --- Services: Munin # ------------- munin_server_ips="{{ fw_munin_server_ips }}" forward_munin_server_ips="{{ fw_forward_munin_server_ips }}" munin_remote_port="{{ fw_munin_remote_port }}" munin_remote_ip="{{ munin_remote_ipv4 }}" munin_local_port="{{ fw_munin_local_port }}" # ------------- # --- Services: Xymon (not yet implemented) # ------------- xymon_server_ips="{{ fw_xymon_server_ips }}" local_xymon_client={{ fw_local_xymon_client | lower }} xymon_port="{{ fw_xymon_port }}" # ------------- # --- Protocols out: Rsync # ------------- rsync_out_ips="{{ fw_rsync_out_ips }}" forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}" rsync_ports="{{ fw_rsync_ports }}" # ------------- # --- Special ports (OUT) # ------------- tcp_out_ports="{{ fw_tcp_out_ports }}" forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}" udp_out_ports="{{ fw_udp_out_ports }}" forward_udp_out_ports="{{ fw_forward_udp_out_ports }}" # ============= # --- Portforwarding (IPv4) # --- Format: "::::" # ============= portforward_tcp="{{ fw_portforward_tcp_v4 }}" portforward_udp="{{ fw_portforward_udp_v4 }}" # ------------- # --- Blocked IPs / Ports # ------------- blocked_ips="{{ fw_blocked_ips }}" block_tcp_ports="{{ fw_block_tcp_ports }}" block_udp_ports="{{ fw_block_udp_ports }}" # ------------- # --- Special / Counters # ------------- create_traffic_counter={{ fw_create_traffic_counter | lower }} create_iperf_rules={{ fw_create_iperf_rules | lower }} # ------------- # --- Protection # ------------- protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }} protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }} protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }} # ------------- # --- Connection limits # ------------- limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }} per_IP_connection_limit={{ fw_per_IP_connection_limit }} limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }} limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}" # ------------- # --- Kernel parameters (IPv4) # ------------- kernel_activate_forwarding={{ fw_kernel_activate_forwarding | lower }} kernel_support_dynaddr={{ fw_kernel_support_dynaddr | lower }} dynaddr_flag="{{ fw_dynaddr_flag }}" kernel_reduce_timeouts={{ fw_kernel_reduce_timeouts | lower }} kernel_tcp_syncookies={{ fw_kernel_tcp_syncookies | lower }} kernel_protect_against_icmp_bogus_messages={{ fw_kernel_protect_against_icmp_bogus_messages | lower }} kernel_ignore_broadcast_ping={{ fw_kernel_ignore_broadcast_ping | lower }} kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }} kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }} kernel_activate_rp_filter={{ fw_kernel_activate_rp_filter | lower }} kernel_log_martians={{ fw_kernel_log_martians | lower }}