oopen-server/roles/ipt-server/templates/etc/ipt-firewall/main_ipv6.conf.j2

#!/usr/bin/env bash
# {{ ansible_managed }}


## ----------------------------------------------------------------
## --- Main Configurations IPv6 Firewall
## ----------------------------------------------------------------


# -------------
# --- Bridged / LXC traffic
# -------------

do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}


# -------------
# --- Drop ICMP / MNDP / mDNS
# -------------

drop_icmp={{ fw_drop_icmp | lower }}
drop_mndp={{ fw_drop_mndp | lower }}
drop_mdns={{ fw_drop_mdns | lower }}


# -------------
# --- Outgoing traffic
# -------------

allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}


# -------------
# --- Interface policy
# -------------

blocked_ifs="{{ fw_blocked_ifs }}"
unprotected_ifs="{{ fw_unprotected_ifs }}"


# -------------
# --- Forwarding / Routing
# -------------

# Private IPs to forward (CIDR notation, blank separated)
forward_private_ips="{{ fw_forward_private_ips_v6 }}"


# -------------
# --- Access control (source-based)
# --- Note: IPv6 uses comma as field separator (not colon)
# -------------

# restrict_local_service_to_net="ext-net,local-address,port,protocol"
restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v6 }}"

# restrict_local_net_to_net="<src-ext-net>,<dst-local-net>"
restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v6 }}"

# allow_ext_service="<ext-ip>,<ext_port>,<protocol>"
allow_ext_service="{{ fw_allow_ext_service_v6 }}"

# allow_ext_net="<ext-ip/net>"  (blank separated)
allow_ext_net="{{ fw_allow_ext_net_v6 }}"

# allow_local_service="<port>,<protocol>"  (blank separated)
allow_local_service="{{ fw_allow_local_service_v6 }}"

# allow_local_service_from_networks="<ext-net>,<local-port>,<protocol>"
allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v6 }}"


# -------------
# --- Services: VPN / WireGuard
# -------------

vpn_server_ips="{{ fw_vpn_server_ips }}"
forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
vpn_ports="{{ fw_vpn_ports }}"

wireguard_server_ips="{{ fw_wireguard_server_ips }}"
forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
wireguard_server_ports="{{ fw_wireguard_server_ports }}"
wireguard_out_ports="{{ fw_wireguard_out_ports }}"


# -------------
# --- Services: NTP
# -------------

local_ntp_service={{ fw_local_ntp_service | lower }}
ntp_port="{{ fw_ntp_port }}"
ntp_allowed_net="{{ fw_ntp_allowed_net }}"


# -------------
# --- Services: DNS
# -------------

dns_server_ips="{{ fw_dns_server_ips }}"
forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"

local_resolver_service={{ fw_local_resolver_service | lower }}
resolver_port="{{ fw_resolver_port }}"
# resolver_allowed_networks="2001:678:a40:3000::/64"
resolver_allowed_networks="{{ fw_resolver_allowed_networks_v6 }}"


# -------------
# --- Services: SSH
# -------------

ssh_server_ips="{{ fw_ssh_server_ips }}"
forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
ssh_ports="{{ fw_ssh_ports }}"


# -------------
# --- Services: HTTP(S)
# -------------

http_server_ips="{{ fw_http_server_ips }}"
forward_http_server_ips="{{ fw_forward_http_server_ips }}"
http_ports="{{ fw_http_ports }}"

log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
cgi_script_users="{{ fw_cgi_script_users }}"


# -------------
# --- Services: Mattermost
# -------------

mm_server_ips="{{ fw_mm_server_ips }}"
forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"


# -------------
# --- Services: Mail (SMTP / IMAP / POP)
# -------------

smtpd_ips="{{ fw_smtpd_ips }}"
forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"

mail_server_ips="{{ fw_mail_server_ips }}"
forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
mail_user_ports="{{ fw_mail_user_ports }}"

mail_client_ips="{{ fw_mail_client_ips }}"
forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"

dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
dovecot_auth_port="{{ fw_dovecot_auth_port }}"
# dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7"
dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v6 }}"


# -------------
# --- Services: FTP
# -------------

ftp_server_ips="{{ fw_ftp_server_ips }}"
forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"


# -------------
# --- Services: XMPP (Jabber / Prosody)
# -------------

xmpp_server_ips="{{ fw_xmpp_server_ips }}"
forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
# xmmp_remote_out_services="2a01:4f8:221:3b4e::247,44444"
xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v6 }}"


# -------------
# --- Services: Mumble
# -------------

mumble_server_ips="{{ fw_mumble_server_ips }}"
forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
mumble_ports="{{ fw_mumble_ports }}"


# -------------
# --- Services: Jitsi / Jibri
# -------------

jitsi_server_ips="{{ fw_jitsi_server_ips }}"
forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"

jibri_server_ips="{{ fw_jibri_server_ips }}"
forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"


# -------------
# --- Services: TURN / STUN (Nextcloud Talk)
# -------------

nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
nc_turn_ports="{{ fw_nc_turn_ports }}"
nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"


# -------------
# --- Services: TFTP (not yet implemented)
# -------------

tftp_server_ips="{{ fw_tftp_server_ips }}"


# -------------
# --- Services: Prometheus
# -------------

prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"

prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"


# -------------
# --- Services: Munin
# -------------

munin_server_ips="{{ fw_munin_server_ips }}"
forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
munin_remote_port="{{ fw_munin_remote_port }}"

munin_remote_ip="{{ munin_remote_ipv6 }}"
munin_local_port="{{ fw_munin_local_port }}"


# -------------
# --- Services: Xymon (not yet implemented)
# -------------

xymon_server_ips="{{ fw_xymon_server_ips }}"
local_xymon_client={{ fw_local_xymon_client | lower }}
xymon_port="{{ fw_xymon_port }}"


# -------------
# --- Protocols out: Rsync
# -------------

rsync_out_ips="{{ fw_rsync_out_ips }}"
forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
rsync_ports="{{ fw_rsync_ports }}"


# -------------
# --- Special ports (OUT)
# -------------

tcp_out_ports="{{ fw_tcp_out_ports }}"
forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
udp_out_ports="{{ fw_udp_out_ports }}"
forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"


# =============
# --- Portforwarding (IPv6)
# --- Format: "<device-in>,<src-ip>,<port-in>,<ip-to-forward>,<port-out>"
# =============

portforward_tcp="{{ fw_portforward_tcp_v6 }}"
portforward_udp="{{ fw_portforward_udp_v6 }}"


# -------------
# --- Blocked IPs / Ports
# -------------

blocked_ips="{{ fw_blocked_ips }}"
block_tcp_ports="{{ fw_block_tcp_ports }}"
block_udp_ports="{{ fw_block_udp_ports }}"


# -------------
# --- Special / Counters
# -------------

create_traffic_counter={{ fw_create_traffic_counter | lower }}
create_iperf_rules={{ fw_create_iperf_rules | lower }}


# -------------
# --- Protection
# -------------

protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}


# -------------
# --- Connection limits
# -------------

limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
per_IP_connection_limit={{ fw_per_IP_connection_limit }}

limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"


# -------------
# --- Kernel parameters (IPv6)
# -------------

kernel_forward_between_interfaces={{ fw_kernel_forward_between_interfaces | lower }}
kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}