--- iptables_persistent_enabled: True # Options: ACCEPT, REJECT, DROP iptables_default_policy: ACCEPT iptables6_default_policy: '{{ iptables_default_policy }}' iptables_log_untracked_traffic: False iptables_nat_enabled: False iptables_nat_specify_interfaces: True iptables_post_nat_enabled: False iptables_nat_interfaces: - '{{ ansible_default_ipv4.interface }}' iptables_input_default_policy: '{{ iptables_default_policy }}' iptables_forward_default_policy: '{{ iptables_default_policy }}' iptables_banned_default_policy: DROP iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited' iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited' nagios_enabled: False iptables_open_all_to_isti_nets: False jgroups_cluster_enabled: False # Another variable needs to be defined before the db rules are set psql_firewall_enabled: True mysql_firewall_enabled: True iptables_deb_pkgs: - iptables - iptables-persistent # # Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables # #pg_allowed_hosts: # - 146.48.123.17/32 # - 146.48.122.110/32 # #munin_server: # - 146.48.122.15 # - 146.48.87.88 #http_port: 80 #http_allowed_hosts: # - 1.2.3.4/24 #https_port: 443 #https_allowed_hosts: # - 0.0.0.0/0 # # Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT' # iptables: # tcp_rules: True # tcp: # - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] } # - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] } # - { port: '80' } # udp_rules: True # udp: # - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] } # munin_server: # - 146.48.122.15 # - 146.48.87.88 #nagios_monitoring_server_ip: 146.48.123.23 #mongodb: # start_server: 'yes' # tcp_port: 27017 # allowed_hosts: # - 146.48.123.100/32 # # firewalld # firewalld_enabled: True firewalld_default_zone: public firewalld_ssh_enabled_on_default_zone: True firewalld_rules: # - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' } # - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' } # - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' } #firewalld_new_services: # - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' } # We execute direct rules as they are written # firewalld_direct_rules: # - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' } # firewalld_zones_interfaces: # - { interface: 'eth1', zone: 'internal' }