2020-07-10 18:04:20 +02:00
|
|
|
---
|
2020-07-10 19:17:56 +02:00
|
|
|
iptables_persistent_enabled: True
|
|
|
|
#iptables_default_policy: REJECT
|
|
|
|
iptables_default_policy: ACCEPT
|
|
|
|
iptables_nat_enabled: False
|
|
|
|
iptables_nat_specify_interfaces: True
|
|
|
|
iptables_post_nat_enabled: False
|
|
|
|
iptables_nat_interfaces:
|
|
|
|
- '{{ ansible_default_ipv4.interface }}'
|
|
|
|
iptables_input_default_policy: '{{ iptables_default_policy }}'
|
|
|
|
iptables_forward_default_policy: '{{ iptables_default_policy }}'
|
|
|
|
iptables_banned_default_policy: DROP
|
|
|
|
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
|
|
|
|
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
|
|
|
|
ganglia_enabled: False
|
|
|
|
nagios_enabled: False
|
|
|
|
iptables_open_all_to_isti_nets: False
|
|
|
|
tomcat_cluster_enabled: False
|
|
|
|
# Another variable needs to be defined before the db rules are set
|
|
|
|
psql_firewall_enabled: True
|
|
|
|
mysql_firewall_enabled: True
|
|
|
|
|
|
|
|
iptables_deb_pkgs:
|
|
|
|
- iptables
|
|
|
|
- iptables-persistent
|
|
|
|
|
|
|
|
#
|
|
|
|
# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables
|
|
|
|
#
|
|
|
|
#pg_allowed_hosts:
|
|
|
|
# - 146.48.123.17/32
|
|
|
|
# - 146.48.122.110/32
|
|
|
|
#
|
|
|
|
#munin_server:
|
|
|
|
# - 146.48.122.15
|
|
|
|
# - 146.48.87.88
|
|
|
|
#http_port: 80
|
|
|
|
#http_allowed_hosts:
|
|
|
|
# - 1.2.3.4/24
|
|
|
|
#https_port: 443
|
|
|
|
#https_allowed_hosts:
|
|
|
|
# - 0.0.0.0/0
|
|
|
|
#
|
|
|
|
# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT'
|
|
|
|
# iptables:
|
|
|
|
# tcp_rules: True
|
|
|
|
# tcp:
|
|
|
|
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
|
|
|
|
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] }
|
|
|
|
# - { port: '80' }
|
|
|
|
# udp_rules: True
|
|
|
|
# udp:
|
|
|
|
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
|
|
|
|
|
|
|
|
# munin_server:
|
|
|
|
# - 146.48.122.15
|
|
|
|
# - 146.48.87.88
|
|
|
|
|
|
|
|
#nagios_monitoring_server_ip: 146.48.123.23
|
|
|
|
#mongodb:
|
|
|
|
# start_server: 'yes'
|
|
|
|
# tcp_port: 27017
|
|
|
|
# allowed_hosts:
|
|
|
|
# - 146.48.123.100/32
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# firewalld
|
|
|
|
#
|
|
|
|
firewalld_enabled: True
|
|
|
|
firewalld_default_zone: public
|
|
|
|
firewalld_ssh_enabled_on_default_zone: True
|
|
|
|
|
|
|
|
firewalld_rules:
|
|
|
|
# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
|
|
|
|
# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
|
|
|
|
# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
|
|
|
|
|
|
|
|
#firewalld_new_services:
|
|
|
|
# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
|
|
|
|
|
|
|
|
# We execute direct rules as they are written
|
|
|
|
# firewalld_direct_rules:
|
|
|
|
# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
|
|
|
|
|
|
|
|
# firewalld_zones_interfaces:
|
|
|
|
# - { interface: 'eth1', zone: 'internal' }
|