Saltstack Official FirewallD Formula
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.

před 10 roky
před 10 roky
před 10 roky
před 10 roky
před 10 roky
před 10 roky
před 6 roky
před 6 roky
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117
  1. {% set firewalld = pillar.get('firewalld', {}) -%}
  2. #
  3. # This file is managed/generated by salt.
  4. # Do not edit this file manually, it will be overwritten!
  5. # Modify the salt pillar for firewalld instead
  6. #
  7. # firewalld config file
  8. # default zone
  9. # The default zone used if an empty zone string is used.
  10. # Default: public
  11. DefaultZone={{ firewalld.default_zone|default('public') }}
  12. # Clean up on exit
  13. # If set to no or false the firewall configuration will not get cleaned up
  14. # on exit or stop of firewalld.
  15. # Default: yes
  16. CleanupOnExit={{ firewalld.cleanup_on_exit|default('yes') }}
  17. # Clean up kernel modules on exit
  18. # If set to yes or true the firewall related kernel modules will be
  19. # unloaded on exit or stop of firewalld. This might attempt to unload
  20. # modules not originally loaded by firewalld.
  21. # Default: no
  22. CleanupModulesOnExit={{ firewalld.cleanup_module_on_exit|default('no') }}
  23. # Lockdown
  24. # If set to enabled, firewall changes with the D-Bus interface will be limited
  25. # to applications that are listed in the lockdown whitelist.
  26. # The lockdown whitelist file is lockdown-whitelist.xml
  27. # Default: no
  28. Lockdown={{ firewalld.lockdown|default('no') }}
  29. # IPv6_rpfilter
  30. # Performs a reverse path filter test on a packet for IPv6. If a reply to the
  31. # packet would be sent via the same interface that the packet arrived on, the
  32. # packet will match and be accepted, otherwise dropped.
  33. # The rp_filter for IPv4 is controlled using sysctl.
  34. # Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
  35. # for details.
  36. # Default: yes
  37. IPv6_rpfilter={{ firewalld.IPv6_rpfilter|default('yes') }}
  38. {%- if firewalld.get('IndividualCalls', False) %}
  39. # IndividualCalls
  40. # Do not use combined -restore calls, but individual calls. This increases the
  41. # time that is needed to apply changes and to start the daemon, but is good for
  42. # debugging.
  43. # Default: no
  44. IndividualCalls={{ firewalld.IndividualCalls|default('no') }}
  45. {%- endif %}
  46. {%- if firewalld.get('LogDenied', False) %}
  47. # LogDenied
  48. # Add logging rules right before reject and drop rules in the INPUT, FORWARD
  49. # and OUTPUT chains for the default rules and also final reject and drop rules
  50. # in zones. Possible values are: all, unicast, broadcast, multicast and off.
  51. # Default: off
  52. LogDenied={{ firewalld.LogDenied|default('off') }}
  53. {%- endif %}
  54. {%- if firewalld.get('AutomaticHelpers', False) %}
  55. # AutomaticHelpers
  56. # For the secure use of iptables and connection tracking helpers it is
  57. # recommended to turn AutomaticHelpers off. But this might have side effects on
  58. # other services using the netfilter helpers as the sysctl setting in
  59. # /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
  60. # With the system setting, the default value set in the kernel or with sysctl
  61. # will be used. Possible values are: yes, no and system.
  62. # Default: system
  63. AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}
  64. {%- endif %}
  65. {%- if firewalld.get('FirewallBackend', False) %}
  66. # FirewallBackend
  67. # Selects the firewall backend implementation.
  68. # Choices are:
  69. # - nftables (default)
  70. # - iptables (iptables, ip6tables, ebtables and ipset)
  71. # Note: The iptables backend is deprecated. It will be removed in a future
  72. # release.
  73. FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}
  74. {%- endif %}
  75. {%- if firewalld.get('FlushAllOnReload', False) %}
  76. # FlushAllOnReload
  77. # Flush all runtime rules on a reload. In previous releases some runtime
  78. # configuration was retained during a reload, namely; interface to zone
  79. # assignment, and direct rules. This was confusing to users. To get the old
  80. # behavior set this to "no".
  81. # Default: yes
  82. FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}
  83. {%- endif %}
  84. {%- if firewalld.get('RFC3964_IPv4', False) %}
  85. # RFC3964_IPv4
  86. # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
  87. # correspond to IPv4 addresses that should not be routed over the public
  88. # internet.
  89. # Defaults to "yes".
  90. RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}
  91. {%- endif %}
  92. {%- if firewalld.get('AllowZoneDrifting', False) %}
  93. # AllowZoneDrifting
  94. # Older versions of firewalld had undocumented behavior known as "zone
  95. # drifting". This allowed packets to ingress multiple zones - this is a
  96. # violation of zone based firewalls. However, some users rely on this behavior
  97. # to have a "catch-all" zone, e.g. the default zone. You can enable this if you
  98. # desire such behavior. It's disabled by default for security reasons. Note: If
  99. # "yes" packets will only drift from source based zones to interface based
  100. # zones (including the default zone). Packets never drift from interface based
  101. # zones to other interfaces based zones (including the default zone). Valid
  102. # values; "yes", "no".
  103. # Defaults to "no".
  104. AllowZoneDrifting={{ firewalld.AllowZoneDrifting|default('no') }}
  105. {%- endif %}