|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112 |
- {% set firewalld = pillar.get('firewalld', {}) -%}
- #
- # This file is managed/generated by salt.
- # Do not edit this file manually, it will be overwritten!
- # Modify the salt pillar for firewalld instead
- #
- # firewalld config file
-
- # default zone
- # The default zone used if an empty zone string is used.
- # Default: public
- DefaultZone={{ firewalld.default_zone|default('public') }}
-
- # Minimal mark
- # Marks up to this minimum are free for use for example in the direct
- # interface. If more free marks are needed, increase the minimum
- # Default: 100
- MinimalMark={{ firewalld.minimal_mark|default('100') }}
-
- # Clean up on exit
- # If set to no or false the firewall configuration will not get cleaned up
- # on exit or stop of firewalld
- # Default: yes
- CleanupOnExit={{ firewalld.cleanup_on_exit|default('yes') }}
-
- # Lockdown
- # If set to enabled, firewall changes with the D-Bus interface will be limited
- # to applications that are listed in the lockdown whitelist.
- # The lockdown whitelist file is lockdown-whitelist.xml
- # Default: no
- Lockdown={{ firewalld.lockdown|default('no') }}
-
- # IPv6_rpfilter
- # Performs a reverse path filter test on a packet for IPv6. If a reply to the
- # packet would be sent via the same interface that the packet arrived on, the
- # packet will match and be accepted, otherwise dropped.
- # The rp_filter for IPv4 is controlled using sysctl.
- # Default: yes
- IPv6_rpfilter={{ firewalld.IPv6_rpfilter|default('yes') }}
- {%- if firewalld.get('IndividualCalls', False) %}
-
- # IndividualCalls
- # Do not use combined -restore calls, but individual calls. This increases the
- # time that is needed to apply changes and to start the daemon, but is good for
- # debugging.
- # Default: no
- IndividualCalls={{ firewalld.IndividualCalls|default('no') }}
- {%- endif %}
- {%- if firewalld.get('LogDenied', False) %}
-
- # LogDenied
- # Add logging rules right before reject and drop rules in the INPUT, FORWARD
- # and OUTPUT chains for the default rules and also final reject and drop rules
- # in zones. Possible values are: all, unicast, broadcast, multicast and off.
- # Default: off
- LogDenied={{ firewalld.LogDenied|default('off') }}
- {%- endif %}
- {%- if firewalld.get('AutomaticHelpers', False) %}
-
- # AutomaticHelpers
- # For the secure use of iptables and connection tracking helpers it is
- # recommended to turn AutomaticHelpers off. But this might have side effects on
- # other services using the netfilter helpers as the sysctl setting in
- # /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
- # With the system setting, the default value set in the kernel or with sysctl
- # will be used. Possible values are: yes, no and system.
- # Default: system
- AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}
- {%- endif %}
- {%- if firewalld.get('FirewallBackend', False) %}
-
- # FirewallBackend
- # Selects the firewall backend implementation.
- # Choices are:
- # - nftables (default)
- # - iptables (iptables, ip6tables, ebtables and ipset)
- FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}
- {%- endif %}
- {%- if firewalld.get('FlushAllOnReload', False) %}
-
- # FlushAllOnReload
- # Flush all runtime rules on a reload. In previous releases some runtime
- # configuration was retained during a reload, namely; interface to zone
- # assignment, and direct rules. This was confusing to users. To get the old
- # behavior set this to "no".
- # Default: yes
- FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}
- {%- endif %}
- {%- if firewalld.get('RFC3964_IPv4', False) %}
-
- # RFC3964_IPv4
- # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
- # correspond to IPv4 addresses that should not be routed over the public
- # internet.
- # Defaults to "yes".
- RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}
- {%- endif %}
- {%- if firewalld.get('AllowZoneDrifting', False) %}
-
- # AllowZoneDrifting
- # Older versions of firewalld had undocumented behavior known as "zone
- # drifting". This allowed packets to ingress multiple zones - this is a
- # violation of zone based firewalls. However, some users rely on this behavior
- # to have a "catch-all" zone, e.g. the default zone. You can enable this if you
- # desire such behavior. It's disabled by default for security reasons. Note: If
- # "yes" packets will only drift from source based zones to interface based
- # zones (including the default zone). Packets never drift from interface based
- # zones to other interfaces based zones (including the default zone). Valid
- # values; "yes", "no".
- # Defaults to "no".
- AllowZoneDrifting={{ firewalld.AllowZoneDrifting|default('no') }}
- {%- endif %}
|