ExternalMirrors
/
firewalld-formula
镜像来自 https://github.com/saltstack-formulas/firewalld-formula
關註 1
收藏 0
複製 1
程式碼 問題管理 0 版本發佈 14 Wiki Activity
Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
244 Commit
1 分支
目錄樹: 63fe97a43a
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '63fe97a43a'
${ noResults }
firewalld-formula/firewalld/files/firewalld.conf

113 line
4.4KB
原始文件 Blame 文件歷史 

  1. {% set firewalld  = pillar.get('firewalld', {}) -%}

  2. #

  3. #  This file is managed/generated by salt.

  4. #  Do not edit this file manually, it will be overwritten!

  5. #  Modify the salt pillar for firewalld instead

  6. #

  7. # firewalld config file

  8. 

  9. # default zone

  10. # The default zone used if an empty zone string is used.

  11. # Default: public

  12. DefaultZone={{ firewalld.default_zone|default('public') }}

  13. 

  14. # Minimal mark

  15. # Marks up to this minimum are free for use for example in the direct 

  16. # interface. If more free marks are needed, increase the minimum

  17. # Default: 100

  18. MinimalMark={{ firewalld.minimal_mark|default('100') }}

  19. 

  20. # Clean up on exit

  21. # If set to no or false the firewall configuration will not get cleaned up

  22. # on exit or stop of firewalld

  23. # Default: yes

  24. CleanupOnExit={{ firewalld.cleanup_on_exit|default('yes') }}

  25. 

  26. # Lockdown

  27. # If set to enabled, firewall changes with the D-Bus interface will be limited

  28. # to applications that are listed in the lockdown whitelist.

  29. # The lockdown whitelist file is lockdown-whitelist.xml

  30. # Default: no

  31. Lockdown={{ firewalld.lockdown|default('no') }}

  32. 

  33. # IPv6_rpfilter

  34. # Performs a reverse path filter test on a packet for IPv6. If a reply to the

  35. # packet would be sent via the same interface that the packet arrived on, the 

  36. # packet will match and be accepted, otherwise dropped.

  37. # The rp_filter for IPv4 is controlled using sysctl.

  38. # Default: yes

  39. IPv6_rpfilter={{ firewalld.IPv6_rpfilter|default('yes') }}

  40. {%- if firewalld.get('IndividualCalls', False) %}

  41. 

  42. # IndividualCalls

  43. # Do not use combined -restore calls, but individual calls. This increases the

  44. # time that is needed to apply changes and to start the daemon, but is good for

  45. # debugging.

  46. # Default: no

  47. IndividualCalls={{ firewalld.IndividualCalls|default('no') }}

  48. {%- endif %}

  49. {%- if firewalld.get('LogDenied', False) %}

  50. 

  51. # LogDenied

  52. # Add logging rules right before reject and drop rules in the INPUT, FORWARD

  53. # and OUTPUT chains for the default rules and also final reject and drop rules

  54. # in zones. Possible values are: all, unicast, broadcast, multicast and off.

  55. # Default: off

  56. LogDenied={{ firewalld.LogDenied|default('off') }}

  57. {%- endif %}

  58. {%- if firewalld.get('AutomaticHelpers', False) %}

  59. 

  60. # AutomaticHelpers

  61. # For the secure use of iptables and connection tracking helpers it is

  62. # recommended to turn AutomaticHelpers off. But this might have side effects on

  63. # other services using the netfilter helpers as the sysctl setting in

  64. # /proc/sys/net/netfilter/nf_conntrack_helper will be changed.

  65. # With the system setting, the default value set in the kernel or with sysctl

  66. # will be used. Possible values are: yes, no and system.

  67. # Default: system

  68. AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}

  69. {%- endif %}

  70. {%- if firewalld.get('FirewallBackend', False) %}

  71. 

  72. # FirewallBackend

  73. # Selects the firewall backend implementation.

  74. # Choices are:

  75. #	- nftables (default)

  76. #	- iptables (iptables, ip6tables, ebtables and ipset)

  77. FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}

  78. {%- endif %}

  79. {%- if firewalld.get('FlushAllOnReload', False) %}

  80. 

  81. # FlushAllOnReload

  82. # Flush all runtime rules on a reload. In previous releases some runtime

  83. # configuration was retained during a reload, namely; interface to zone

  84. # assignment, and direct rules. This was confusing to users. To get the old

  85. # behavior set this to "no".

  86. # Default: yes

  87. FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}

  88. {%- endif %}

  89. {%- if firewalld.get('RFC3964_IPv4', False) %}

  90. 

  91. # RFC3964_IPv4

  92. # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that

  93. # correspond to IPv4 addresses that should not be routed over the public

  94. # internet.

  95. # Defaults to "yes".

  96. RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}

  97. {%- endif %}

  98. {%- if firewalld.get('AllowZoneDrifting', False) %}

  99. 

  100. # AllowZoneDrifting

  101. # Older versions of firewalld had undocumented behavior known as "zone

  102. # drifting". This allowed packets to ingress multiple zones - this is a

  103. # violation of zone based firewalls. However, some users rely on this behavior

  104. # to have a "catch-all" zone, e.g. the default zone. You can enable this if you

  105. # desire such behavior. It's disabled by default for security reasons. Note: If

  106. # "yes" packets will only drift from source based zones to interface based

  107. # zones (including the default zone). Packets never drift from interface based

  108. # zones to other interfaces based zones (including the default zone). Valid

  109. # values; "yes", "no".

  110. # Defaults to "no".

  111. AllowZoneDrifting={{ firewalld.AllowZoneDrifting|default('no') }}

  112. {%- endif %}