|
- ufw:
-
- enabled: True
-
- settings:
- ipv6: True
- default_input_policy: 'DROP'
- default_output_policy: 'ACCEPT'
- default_forward_policy: 'DROP'
- default_application_policy: 'SKIP'
- manage_builtins: False
- ipt_sysctl: '/etc/ufw/sysctl.conf'
- ipt_modules:
- - nf_conntrack_ftp
- - nf_nat_ftp
- - nf_conntrack_netbios_ns
-
- sysctl:
- forwarding: 1
- rp_filter: 1
- accept_source_route: 0
- accept_redirects: 0
- icmp_echo_ignore_broadcasts: 1
- icmp_ignore_bogus_error_responses: 1
- icmp_echo_ignore_all: 0
- log_martians: 0
- tcp_syncookies: 0
- tcp_sack: 1
- ipv6_autoconf: 1
- use_tempaddr: 1
-
- services:
-
- # Allow 80/tcp (http) traffic from only two remote addresses.
- http:
- protocol: tcp
- from_addr:
- - 10.0.2.15
- - 10.0.2.16
-
- # Allow 443/tcp (https) traffic from network 10.0.0.0/8 to an specific local ip.
- https:
- protocol: tcp
- from_addr:
- - 10.0.0.0/8
- to_addr: 10.0.2.1
-
- # Allow from a service port.
- smtp:
- protocol: tcp
-
- # Allow from an specific port, by number.
- 139:
- protocol: tcp
-
- # Allow from a range of ports, udp.
- "10000:20000":
- protocol: udp
-
- # Allow from two specific ports, udp.
- "30000,40000":
- protocol: udp
-
- # Allow an application defined at /etc/ufw/applications.d/
- applications:
- OpenSSH:
- enabled: True
-
- # Allow all traffic in on the specified interface
- interfaces:
- - eth1
|
