ExternalMirrors
/
firewalld-formula
spegling av https://github.com/saltstack-formulas/firewalld-formula
Bevaka 1
Stjärnmärk 0
Förgrening 1
Kod Ärenden 0 Släpp 14 Wiki Aktiviteter
Saltstack Official FirewallD Formula
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
247 Incheckningar
1 Gren
Gren: master
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från 'master'
${ noResults }
firewalld-formula/firewalld/files/firewalld.conf

118 lines
4.7KB
Permalänk Blame Historik 

  1. {% set firewalld  = pillar.get('firewalld', {}) -%}

  2. #

  3. #  This file is managed/generated by salt.

  4. #  Do not edit this file manually, it will be overwritten!

  5. #  Modify the salt pillar for firewalld instead

  6. #

  7. # firewalld config file

  8. 

  9. # default zone

  10. # The default zone used if an empty zone string is used.

  11. # Default: public

  12. DefaultZone={{ firewalld.default_zone|default('public') }}

  13. 

  14. # Clean up on exit

  15. # If set to no or false the firewall configuration will not get cleaned up

  16. # on exit or stop of firewalld.

  17. # Default: yes

  18. CleanupOnExit={{ firewalld.cleanup_on_exit|default('yes') }}

  19. 

  20. # Clean up kernel modules on exit

  21. # If set to yes or true the firewall related kernel modules will be

  22. # unloaded on exit or stop of firewalld. This might attempt to unload

  23. # modules not originally loaded by firewalld.

  24. # Default: no

  25. CleanupModulesOnExit={{ firewalld.cleanup_module_on_exit|default('no') }}

  26. 

  27. # Lockdown

  28. # If set to enabled, firewall changes with the D-Bus interface will be limited

  29. # to applications that are listed in the lockdown whitelist.

  30. # The lockdown whitelist file is lockdown-whitelist.xml

  31. # Default: no

  32. Lockdown={{ firewalld.lockdown|default('no') }}

  33. 

  34. # IPv6_rpfilter

  35. # Performs a reverse path filter test on a packet for IPv6. If a reply to the

  36. # packet would be sent via the same interface that the packet arrived on, the

  37. # packet will match and be accepted, otherwise dropped.

  38. # The rp_filter for IPv4 is controlled using sysctl.

  39. # Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)

  40. # for details.

  41. # Default: yes

  42. IPv6_rpfilter={{ firewalld.IPv6_rpfilter|default('yes') }}

  43. {%- if firewalld.get('IndividualCalls', False) %}

  44. 

  45. # IndividualCalls

  46. # Do not use combined -restore calls, but individual calls. This increases the

  47. # time that is needed to apply changes and to start the daemon, but is good for

  48. # debugging.

  49. # Default: no

  50. IndividualCalls={{ firewalld.IndividualCalls|default('no') }}

  51. {%- endif %}

  52. {%- if firewalld.get('LogDenied', False) %}

  53. 

  54. # LogDenied

  55. # Add logging rules right before reject and drop rules in the INPUT, FORWARD

  56. # and OUTPUT chains for the default rules and also final reject and drop rules

  57. # in zones. Possible values are: all, unicast, broadcast, multicast and off.

  58. # Default: off

  59. LogDenied={{ firewalld.LogDenied|default('off') }}

  60. {%- endif %}

  61. {%- if firewalld.get('AutomaticHelpers', False) %}

  62. 

  63. # AutomaticHelpers

  64. # For the secure use of iptables and connection tracking helpers it is

  65. # recommended to turn AutomaticHelpers off. But this might have side effects on

  66. # other services using the netfilter helpers as the sysctl setting in

  67. # /proc/sys/net/netfilter/nf_conntrack_helper will be changed.

  68. # With the system setting, the default value set in the kernel or with sysctl

  69. # will be used. Possible values are: yes, no and system.

  70. # Default: system

  71. AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}

  72. {%- endif %}

  73. {%- if firewalld.get('FirewallBackend', False) %}

  74. 

  75. # FirewallBackend

  76. # Selects the firewall backend implementation.

  77. # Choices are:

  78. #	- nftables (default)

  79. #	- iptables (iptables, ip6tables, ebtables and ipset)

  80. # Note: The iptables backend is deprecated. It will be removed in a future

  81. # release.

  82. FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}

  83. {%- endif %}

  84. {%- if firewalld.get('FlushAllOnReload', False) %}

  85. 

  86. # FlushAllOnReload

  87. # Flush all runtime rules on a reload. In previous releases some runtime

  88. # configuration was retained during a reload, namely; interface to zone

  89. # assignment, and direct rules. This was confusing to users. To get the old

  90. # behavior set this to "no".

  91. # Default: yes

  92. FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}

  93. {%- endif %}

  94. {%- if firewalld.get('RFC3964_IPv4', False) %}

  95. 

  96. # RFC3964_IPv4

  97. # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that

  98. # correspond to IPv4 addresses that should not be routed over the public

  99. # internet.

  100. # Defaults to "yes".

  101. RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}

  102. {%- endif %}

  103. {%- if firewalld.get('AllowZoneDrifting', False) %}

  104. 

  105. # AllowZoneDrifting

  106. # Older versions of firewalld had undocumented behavior known as "zone

  107. # drifting". This allowed packets to ingress multiple zones - this is a

  108. # violation of zone based firewalls. However, some users rely on this behavior

  109. # to have a "catch-all" zone, e.g. the default zone. You can enable this if you

  110. # desire such behavior. It's disabled by default for security reasons. Note: If

  111. # "yes" packets will only drift from source based zones to interface based

  112. # zones (including the default zone). Packets never drift from interface based

  113. # zones to other interfaces based zones (including the default zone). Valid

  114. # values; "yes", "no".

  115. # Defaults to "no".

  116. AllowZoneDrifting={{ firewalld.AllowZoneDrifting|default('no') }}

  117. {%- endif %}