Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

firewalld.conf 3.7KB

10 年之前
10 年之前
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697
  1. {% set firewalld = pillar.get('firewalld', {}) -%}
  2. #
  3. # This file is managed/generated by salt.
  4. # Do not edit this file manually, it will be overwritten!
  5. # Modify the salt pillar for firewalld instead
  6. #
  7. # firewalld config file
  8. # default zone
  9. # The default zone used if an empty zone string is used.
  10. # Default: public
  11. DefaultZone={{ firewalld.default_zone|default('public') }}
  12. # Minimal mark
  13. # Marks up to this minimum are free for use for example in the direct
  14. # interface. If more free marks are needed, increase the minimum
  15. # Default: 100
  16. MinimalMark={{ firewalld.minimal_mark|default('100') }}
  17. # Clean up on exit
  18. # If set to no or false the firewall configuration will not get cleaned up
  19. # on exit or stop of firewalld
  20. # Default: yes
  21. CleanupOnExit={{ firewalld.cleanup_on_exit|default('yes') }}
  22. # Lockdown
  23. # If set to enabled, firewall changes with the D-Bus interface will be limited
  24. # to applications that are listed in the lockdown whitelist.
  25. # The lockdown whitelist file is lockdown-whitelist.xml
  26. # Default: no
  27. Lockdown={{ firewalld.lockdown|default('no') }}
  28. # IPv6_rpfilter
  29. # Performs a reverse path filter test on a packet for IPv6. If a reply to the
  30. # packet would be sent via the same interface that the packet arrived on, the
  31. # packet will match and be accepted, otherwise dropped.
  32. # The rp_filter for IPv4 is controlled using sysctl.
  33. # Default: yes
  34. IPv6_rpfilter={{ firewalld.IPv6_rpfilter|default('yes') }}
  35. {%- if firewalld.get('IndividualCalls', False) %}
  36. # IndividualCalls
  37. # Do not use combined -restore calls, but individual calls. This increases the
  38. # time that is needed to apply changes and to start the daemon, but is good for
  39. # debugging.
  40. # Default: no
  41. IndividualCalls={{ firewalld.IndividualCalls|default('no') }}
  42. {%- endif %}
  43. {%- if firewalld.get('LogDenied', False) %}
  44. # LogDenied
  45. # Add logging rules right before reject and drop rules in the INPUT, FORWARD
  46. # and OUTPUT chains for the default rules and also final reject and drop rules
  47. # in zones. Possible values are: all, unicast, broadcast, multicast and off.
  48. # Default: off
  49. LogDenied={{ firewalld.LogDenied|default('off') }}
  50. {%- endif %}
  51. {%- if firewalld.get('AutomaticHelpers', False) %}
  52. # AutomaticHelpers
  53. # For the secure use of iptables and connection tracking helpers it is
  54. # recommended to turn AutomaticHelpers off. But this might have side effects on
  55. # other services using the netfilter helpers as the sysctl setting in
  56. # /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
  57. # With the system setting, the default value set in the kernel or with sysctl
  58. # will be used. Possible values are: yes, no and system.
  59. # Default: system
  60. AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}
  61. {%- endif %}
  62. {%- if firewalld.get('FirewallBackend', False) %}
  63. # FirewallBackend
  64. # Selects the firewall backend implementation.
  65. # Choices are:
  66. # - nftables (default)
  67. # - iptables (iptables, ip6tables, ebtables and ipset)
  68. FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}
  69. {%- endif %}
  70. {%- if firewalld.get('FlushAllOnReload', False) %}
  71. # FlushAllOnReload
  72. # Flush all runtime rules on a reload. In previous releases some runtime
  73. # configuration was retained during a reload, namely; interface to zone
  74. # assignment, and direct rules. This was confusing to users. To get the old
  75. # behavior set this to "no".
  76. # Default: yes
  77. FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}
  78. {%- endif %}
  79. {%- if firewalld.get('RFC3964_IPv4', False) %}
  80. # RFC3964_IPv4
  81. # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
  82. # correspond to IPv4 addresses that should not be routed over the public
  83. # internet.
  84. # Defaults to "yes".
  85. RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}
  86. {%- endif %}