Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
3.3KB

  1. {% set ufw_cfg = pillar.get('ufw', {}) -%}
  2. {% set sysctl_cfg = ufw_cfg.get('sysctl', {}) -%}
  3. {% set forwarding = sysctl_cfg.get('forwarding', 0) -%}
  4. {% set rp_filter = sysctl_cfg.get('rp_filter', 1) -%}
  5. {% set accept_source_route = sysctl_cfg.get('accept_source_route', 0) -%}
  6. {% set accept_redirects = sysctl_cfg.get('accept_redirects', 0) -%}
  7. {% set icmp_echo_ignore_broadcasts = sysctl_cfg.get('icmp_echo_ignore_broadcasts', 1) -%}
  8. {% set icmp_ignore_bogus_error_responses = sysctl_cfg.get('icmp_ignore_bogus_error_responses', 1) -%}
  9. {% set icmp_echo_ignore_all = sysctl_cfg.get('icmp_echo_ignore_all', 0) -%}
  10. {% set log_martians = sysctl_cfg.get('log_martians', 0) -%}
  11. {% set tcp_syncookies = sysctl_cfg.get('tcp_syncookies', 0) -%}
  12. {% set tcp_sack = sysctl_cfg.get('tcp_sack', 1) -%}
  13. {% set ipv6_autoconf = sysctl_cfg.get('ipv6_autoconf', 1) -%}
  14. {% set use_tempaddr = sysctl_cfg.get('use_tempaddr', 1) -%}
  15. # File managed by Salt. Do not edit manually.
  16. #
  17. # Configuration file for setting network variables. Please note these settings
  18. # override /etc/sysctl.conf. If you prefer to use /etc/sysctl.conf, please
  19. # adjust IPT_SYSCTL in /etc/default/ufw.
  20. #
  21. # Uncomment this to allow this host to route packets between interfaces
  22. net/ipv4/ip_forward={{ forwarding }}
  23. net/ipv6/conf/default/forwarding={{ forwarding }}
  24. net/ipv6/conf/all/forwarding={{ forwarding }}
  25. # Turn on Source Address Verification in all interfaces to prevent some
  26. # spoofing attacks
  27. net/ipv4/conf/default/rp_filter={{ rp_filter }}
  28. net/ipv4/conf/all/rp_filter={{ rp_filter }}
  29. # Do not accept IP source route packets (we are not a router)
  30. net/ipv4/conf/default/accept_source_route={{ accept_source_route }}
  31. net/ipv4/conf/all/accept_source_route={{ accept_source_route }}
  32. net/ipv6/conf/default/accept_source_route={{ accept_source_route }}
  33. net/ipv6/conf/all/accept_source_route={{ accept_source_route }}
  34. # Disable ICMP redirects. ICMP redirects are rarely used but can be used in
  35. # MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
  36. # traffic to those sites.
  37. net/ipv4/conf/default/accept_redirects={{ accept_redirects }}
  38. net/ipv4/conf/all/accept_redirects={{ accept_redirects }}
  39. net/ipv6/conf/default/accept_redirects={{ accept_redirects }}
  40. net/ipv6/conf/all/accept_redirects={{ accept_redirects }}
  41. # Ignore bogus ICMP errors
  42. net/ipv4/icmp_echo_ignore_broadcasts={{ icmp_echo_ignore_broadcasts }}
  43. net/ipv4/icmp_ignore_bogus_error_responses={{ icmp_ignore_bogus_error_responses }}
  44. net/ipv4/icmp_echo_ignore_all={{ icmp_echo_ignore_all }}
  45. # Don't log Martian Packets (impossible packets)
  46. net/ipv4/conf/default/log_martians={{ log_martians }}
  47. net/ipv4/conf/all/log_martians={{ log_martians }}
  48. # Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling
  49. # (http://lkml.org/lkml/2008/2/5/167)
  50. net/ipv4/tcp_syncookies={{ tcp_syncookies }}
  51. #net/ipv4/tcp_fin_timeout=30
  52. #net/ipv4/tcp_keepalive_intvl=1800
  53. # normally allowing tcp_sack is ok, but if going through OpenBSD 3.8 RELEASE or
  54. # earlier pf firewall, should set this to 0
  55. net/ipv4/tcp_sack={{ tcp_sack }}
  56. # Uncomment this to turn off ipv6 autoconfiguration
  57. net/ipv6/conf/default/autoconf={{ ipv6_autoconf }}
  58. net/ipv6/conf/all/autoconf={{ ipv6_autoconf }}
  59. # Uncomment this to enable ipv6 privacy addressing
  60. net/ipv6/conf/default/use_tempaddr={{ use_tempaddr }}
  61. net/ipv6/conf/all/use_tempaddr={{ use_tempaddr }}