|
- ufw:
-
- enabled: True
-
- settings:
- loglevel: low
- ipv6: True
- default_input_policy: 'DROP'
- default_output_policy: 'ACCEPT'
- default_forward_policy: 'DROP'
- default_application_policy: 'SKIP'
- manage_builtins: False
- ipt_sysctl: '/etc/ufw/sysctl.conf'
- ipt_modules:
- - nf_conntrack_ftp
- - nf_nat_ftp
- - nf_conntrack_netbios_ns
-
- sysctl:
- forwarding: 1
- rp_filter: 1
- accept_source_route: 0
- accept_redirects: 0
- icmp_echo_ignore_broadcasts: 1
- icmp_ignore_bogus_error_responses: 1
- icmp_echo_ignore_all: 0
- log_martians: 0
- tcp_syncookies: 0
- tcp_sack: 1
- ipv6_autoconf: 1
- use_tempaddr: 1
-
- services:
-
-
- http:
- protocol: tcp
- from_addr:
- - 10.0.2.15
- - 10.0.2.16
- comment: Upstream loadbalancers
-
-
- https:
- protocol: tcp
- from_addr:
- - 10.0.0.0/8
- to_addr: 10.0.2.1
- comment: Intraweb portal
-
-
- smtp:
- protocol: tcp
- comment: Mail relay
-
-
- 139:
- protocol: tcp
- comment: Netbios
-
-
- 140:
- protocol: tcp
- deny: True
-
-
- '*':
- protocol: tcp
- deny: True
- from_addr: 10.0.0.1
-
-
-
- '*/multiple':
- to_port: '*'
- protocol: tcp
- deny: True
- from_addr:
- - 10.0.0.2
- - 10.0.0.3
-
-
- 170:
- limit: True
- protocol: tcp
- comment: Print service
-
-
- "10000:20000":
- protocol: udp
- comment: We need ports, lots of ports
-
-
- "30000,40000":
- protocol: udp
- comment: Game server and admin
-
-
- applications:
- OpenSSH:
- enabled: True
- comment: We are using fail2ban anyway
-
-
- Saltmaster:
- limit: True
-
-
- Postgresql:
- deny: True
-
-
- interfaces:
- eth1:
- comment: Honey pot
|