chris
9798ca9cd6
- Created handlers for reloading systemd and restarting firewall services. - Implemented tasks to ensure the existence of configuration directories and files. - Deployed host-specific and shared configuration files using templates. - Added scripts for managing IPv4 and IPv6 firewalls. - Configured systemd service units for ipt-firewall and ip6t-firewall. - Enabled and started firewall services on system boot.
377 lines
7.3 KiB
YAML
377 lines
7.3 KiB
YAML
---
|
|
|
|
# ---
|
|
# ipt-firewall role defaults
|
|
# Override per host in host_vars/<hostname>/ipt_firewall.yml
|
|
# ---
|
|
|
|
|
|
# ---
|
|
# Config management mode.
|
|
# false (default): config files are only deployed when absent (safe for unmanaged hosts).
|
|
# true: Ansible is authoritative — config is always written from templates and
|
|
# the firewall is restarted on any change. Set this after migrating a host.
|
|
# ---
|
|
|
|
fw_manage_config: false
|
|
|
|
|
|
# ---
|
|
# Network interfaces and addresses (set per host in host_vars)
|
|
# ---
|
|
|
|
fw_ext_interfaces: [] # e.g. ["eth0"]
|
|
fw_ext_ips_v4: [] # e.g. ["83.223.86.98"]
|
|
fw_ext_ips_v6: [] # e.g. ["2a01:30:0:13:211:84ff:feb7:7f9c"]
|
|
fw_local_interfaces: []
|
|
fw_local_ips_v4: []
|
|
fw_local_ips_v6: []
|
|
fw_vpn_ifs: "tun+"
|
|
fw_wg_ifs: "wg+"
|
|
fw_lxc_guest_ips_v4: []
|
|
fw_lxc_guest_ips_v6: []
|
|
fw_nat_devices: ""
|
|
|
|
|
|
# ---
|
|
# Munin monitoring (often set in group_vars or role defaults)
|
|
# ---
|
|
|
|
munin_remote_ipv4: ""
|
|
munin_remote_ipv6: ""
|
|
|
|
|
|
# ---
|
|
# Bridged / LXC traffic
|
|
# ---
|
|
|
|
fw_do_not_firewall_bridged_traffic: false
|
|
fw_do_not_firewall_lx_guest_systems: false
|
|
|
|
|
|
# ---
|
|
# Drop policies
|
|
# ---
|
|
|
|
fw_drop_icmp: false
|
|
fw_drop_mndp: true
|
|
fw_drop_mdns: true
|
|
|
|
|
|
# ---
|
|
# Outgoing / interface policy
|
|
# ---
|
|
|
|
fw_allow_all_outgoing_traffic: false
|
|
fw_blocked_ifs: ""
|
|
fw_unprotected_ifs: ""
|
|
|
|
|
|
# ---
|
|
# Forwarding (protocol-specific addresses)
|
|
# ---
|
|
|
|
fw_forward_private_ips_v4: ""
|
|
fw_forward_private_ips_v6: ""
|
|
|
|
|
|
# ---
|
|
# Access control (protocol-specific: IPv4 uses ':', IPv6 uses ',')
|
|
# ---
|
|
|
|
fw_restrict_local_service_to_net_v4: ""
|
|
fw_restrict_local_service_to_net_v6: ""
|
|
fw_restrict_local_net_to_net_v4: ""
|
|
fw_restrict_local_net_to_net_v6: ""
|
|
fw_allow_ext_service_v4: ""
|
|
fw_allow_ext_service_v6: ""
|
|
fw_allow_ext_net_v4: ""
|
|
fw_allow_ext_net_v6: ""
|
|
fw_allow_local_service_v4: ""
|
|
fw_allow_local_service_v6: ""
|
|
fw_allow_local_service_from_networks_v4: ""
|
|
fw_allow_local_service_from_networks_v6: ""
|
|
|
|
|
|
# ---
|
|
# Services: VPN / WireGuard
|
|
# ---
|
|
|
|
fw_vpn_server_ips: ""
|
|
fw_forward_vpn_server_ips: ""
|
|
fw_vpn_ports: "$standard_vpn_port"
|
|
fw_wireguard_server_ips: ""
|
|
fw_forward_wireguard_server_ips: ""
|
|
fw_wireguard_server_ports: "$standard_wireguard_port"
|
|
fw_wireguard_out_ports: "$standard_wireguard_port"
|
|
|
|
|
|
# ---
|
|
# Services: NTP
|
|
# ---
|
|
|
|
fw_local_ntp_service: false
|
|
fw_ntp_port: "$standard_ntp_port"
|
|
fw_ntp_allowed_net: ""
|
|
|
|
|
|
# ---
|
|
# Services: DHCP (IPv4 only)
|
|
# ---
|
|
|
|
fw_dhcp_server_ifs: ""
|
|
fw_dhcp_client_ifs: ""
|
|
|
|
|
|
# ---
|
|
# Services: DNS
|
|
# ---
|
|
|
|
fw_dns_server_ips: ""
|
|
fw_forward_dns_server_ips: ""
|
|
fw_local_resolver_service: false
|
|
fw_resolver_port: "$standard_dns_port"
|
|
fw_resolver_allowed_networks_v4: ""
|
|
fw_resolver_allowed_networks_v6: ""
|
|
|
|
|
|
# ---
|
|
# Services: SSH
|
|
# Uses $ext_ips by default so SSH is always reachable via all external IPs.
|
|
# Override in host_vars to restrict to specific IPs.
|
|
# ---
|
|
|
|
fw_ssh_server_ips: "$ext_ips"
|
|
fw_forward_ssh_server_ips: ""
|
|
fw_ssh_ports: "$standard_ssh_port"
|
|
|
|
|
|
# ---
|
|
# Services: HTTP(S)
|
|
# ---
|
|
|
|
fw_http_server_ips: ""
|
|
fw_forward_http_server_ips: ""
|
|
fw_http_ports: "$standard_http_ports"
|
|
fw_log_cgi_traffic_out: false
|
|
fw_cgi_script_users: ""
|
|
|
|
|
|
# ---
|
|
# Services: Mattermost
|
|
# ---
|
|
|
|
fw_mm_server_ips: ""
|
|
fw_forward_mm_server_ips: ""
|
|
fw_mm_udp_ports_in: "$stansard_mattermost_udp_ports_in"
|
|
fw_mm_udp_ports_out: "$stansard_mattermost_udp_ports_out"
|
|
|
|
|
|
# ---
|
|
# Services: Mail
|
|
# ---
|
|
|
|
fw_smtpd_ips: ""
|
|
fw_forward_smtpd_ips: ""
|
|
fw_smtpd_additional_listen_ports: ""
|
|
fw_smtpd_additional_outgoing_ports: ""
|
|
fw_mail_server_ips: ""
|
|
fw_forward_mail_server_ips: ""
|
|
fw_mail_user_ports: "$standard_mailuser_ports"
|
|
fw_mail_client_ips: ""
|
|
fw_forward_mail_client_ips: ""
|
|
fw_dovecot_auth_service: false
|
|
fw_dovecot_auth_port: "$dovecot_external_auth_port"
|
|
fw_dovecot_auth_allowed_networks_v4: ""
|
|
fw_dovecot_auth_allowed_networks_v6: ""
|
|
|
|
|
|
# ---
|
|
# Services: FTP
|
|
# ---
|
|
|
|
fw_ftp_server_ips: ""
|
|
fw_forward_ftp_server_ips: ""
|
|
fw_ftp_passive_port_range: "50000:50400"
|
|
|
|
|
|
# ---
|
|
# Services: XMPP (Jabber / Prosody)
|
|
# ---
|
|
|
|
fw_xmpp_server_ips: ""
|
|
fw_forward_xmpp_server_ips: ""
|
|
fw_xmmp_tcp_in_ports: "5222 5223 5269"
|
|
fw_xmmp_tcp_out_ports: "5269"
|
|
fw_xmmp_remote_out_services_v4: ""
|
|
fw_xmmp_remote_out_services_v6: ""
|
|
|
|
|
|
# ---
|
|
# Services: Mumble
|
|
# ---
|
|
|
|
fw_mumble_server_ips: ""
|
|
fw_forward_mumble_server_ips: ""
|
|
fw_mumble_ports: "$standard_mumble_port"
|
|
|
|
|
|
# ---
|
|
# Services: Jitsi / Jibri
|
|
# ---
|
|
|
|
fw_jitsi_server_ips: ""
|
|
fw_forward_jitsi_server_ips: ""
|
|
fw_jitsi_tcp_ports: "$standard_jitsi_tcp_ports"
|
|
fw_jitsi_udp_port_range: "$standard_jitsi_udp_port_range"
|
|
fw_jitsi_tcp_ports_out: "$standard_turn_service_ports,4443,4444,4445,4446"
|
|
fw_jitsi_udp_ports_out: "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"
|
|
fw_jitsi_dovecot_auth: false
|
|
fw_jitsi_dovecot_host: ""
|
|
fw_jitsi_dovecot_port: "$default_jitsi_dovecout_auth_port"
|
|
fw_jitsi_jibri_remote_auth: false
|
|
fw_jitsi_jibri_remote_ips: ""
|
|
fw_jitsi_jibri_remote_auth_port: "$default_jibri_out_port"
|
|
fw_jibri_server_ips: ""
|
|
fw_forward_jibri_server_ips: ""
|
|
fw_jibri_remote_jitsi_server: ""
|
|
fw_jibri_remote_auth_port: "$default_jibri_out_port"
|
|
|
|
|
|
# ---
|
|
# Services: TURN / STUN (Nextcloud Talk)
|
|
# ---
|
|
|
|
fw_nc_turn_server_ips: ""
|
|
fw_forward_nc_turn_server_ips: ""
|
|
fw_nc_turn_ports: "$standard_turn_service_ports"
|
|
fw_nc_turn_udp_ports: "$standard_turn_service_udp_ports"
|
|
|
|
|
|
# ---
|
|
# Services: TFTP
|
|
# ---
|
|
|
|
fw_tftp_server_ips: ""
|
|
|
|
|
|
# ---
|
|
# Services: Prometheus
|
|
# ---
|
|
|
|
fw_prometheus_local_server_ips: ""
|
|
fw_prometheus_remote_client_ports: "$standard_prometheus_ports"
|
|
fw_prometheus_local_client_ips: ""
|
|
fw_prometheus_local_client_ports: "$standard_prometheus_ports"
|
|
fw_prometheus_remote_server_ips: ""
|
|
|
|
|
|
# ---
|
|
# Services: Munin
|
|
# ---
|
|
|
|
fw_munin_server_ips: ""
|
|
fw_forward_munin_server_ips: ""
|
|
fw_munin_remote_port: "$standard_munin_port"
|
|
fw_munin_local_port: "4949"
|
|
|
|
|
|
# ---
|
|
# Services: Xymon
|
|
# ---
|
|
|
|
fw_xymon_server_ips: ""
|
|
fw_local_xymon_client: false
|
|
fw_xymon_port: "$standard_xymon_port"
|
|
|
|
|
|
# ---
|
|
# Protocols out: Rsync
|
|
# ---
|
|
|
|
fw_rsync_out_ips: ""
|
|
fw_forward_rsync_out_ips: ""
|
|
fw_rsync_ports: "873"
|
|
|
|
|
|
# ---
|
|
# Special ports (OUT)
|
|
# ---
|
|
|
|
fw_tcp_out_ports: ""
|
|
fw_forward_tcp_out_ports: ""
|
|
fw_udp_out_ports: ""
|
|
fw_forward_udp_out_ports: ""
|
|
|
|
|
|
# ---
|
|
# Portforwarding (protocol-specific formats)
|
|
# IPv4: "<device>:<src-ip>:<port-in>:<ip-fwd>:<port-out>"
|
|
# IPv6: "<device>,<src-ip>,<port-in>,<ip-fwd>,<port-out>"
|
|
# ---
|
|
|
|
fw_portforward_tcp_v4: ""
|
|
fw_portforward_udp_v4: ""
|
|
fw_portforward_tcp_v6: ""
|
|
fw_portforward_udp_v6: ""
|
|
|
|
|
|
# ---
|
|
# Blocked IPs / ports
|
|
# ---
|
|
|
|
fw_blocked_ips: ""
|
|
fw_block_tcp_ports: "111 113 135 137:139 445"
|
|
fw_block_udp_ports: "111 137:139"
|
|
|
|
|
|
# ---
|
|
# Special / counters
|
|
# ---
|
|
|
|
fw_create_traffic_counter: true
|
|
fw_create_iperf_rules: true
|
|
|
|
|
|
# ---
|
|
# Protection
|
|
# ---
|
|
|
|
fw_protection_against_syn_flooding: true
|
|
fw_protection_against_port_scanning: true
|
|
fw_protection_against_ssh_brute_force_attacks: true
|
|
|
|
|
|
# ---
|
|
# Connection limits
|
|
# ---
|
|
|
|
fw_limit_connections_per_source_IP: true
|
|
fw_per_IP_connection_limit: "$default_per_IP_connection_limit"
|
|
fw_limit_new_tcp_connections_per_seconds_per_source_IP: true
|
|
fw_limit_new_tcp_connections_per_seconds_ports: ""
|
|
|
|
|
|
# ---
|
|
# Kernel parameters — IPv4
|
|
# ---
|
|
|
|
fw_kernel_activate_forwarding: false
|
|
fw_kernel_support_dynaddr: false
|
|
fw_dynaddr_flag: "5"
|
|
fw_kernel_reduce_timeouts: true
|
|
fw_kernel_tcp_syncookies: true
|
|
fw_kernel_protect_against_icmp_bogus_messages: true
|
|
fw_kernel_ignore_broadcast_ping: true
|
|
fw_kernel_deactivate_source_route: true
|
|
fw_kernel_dont_accept_redirects: true
|
|
fw_kernel_activate_rp_filter: true
|
|
fw_kernel_log_martians: false
|
|
|
|
|
|
# ---
|
|
# Kernel parameters — IPv6
|
|
# ---
|
|
|
|
fw_kernel_forward_between_interfaces: false
|