firewalld-formula/firewalld/files/firewalld.conf

{% set firewalld  = pillar.get('firewalld', {}) -%}
#
#  This file is managed/generated by salt.
#  Do not edit this file manually, it will be overwritten!
#  Modify the salt pillar for firewalld instead
#
# firewalld config file

# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone={{ firewalld.default_zone|default('public') }}

# Minimal mark
# Marks up to this minimum are free for use for example in the direct 
# interface. If more free marks are needed, increase the minimum
# Default: 100
MinimalMark={{ firewalld.minimal_mark|default('100') }}

# Clean up on exit
# If set to no or false the firewall configuration will not get cleaned up
# on exit or stop of firewalld
# Default: yes
CleanupOnExit={{ firewalld.cleanup_on_exit|default('yes') }}

# Lockdown
# If set to enabled, firewall changes with the D-Bus interface will be limited
# to applications that are listed in the lockdown whitelist.
# The lockdown whitelist file is lockdown-whitelist.xml
# Default: no
Lockdown={{ firewalld.lockdown|default('no') }}

# IPv6_rpfilter
# Performs a reverse path filter test on a packet for IPv6. If a reply to the
# packet would be sent via the same interface that the packet arrived on, the 
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
# Default: yes
IPv6_rpfilter={{ firewalld.IPv6_rpfilter|default('yes') }}
{%- if firewalld.get('IndividualCalls', False) %}

# IndividualCalls
# Do not use combined -restore calls, but individual calls. This increases the
# time that is needed to apply changes and to start the daemon, but is good for
# debugging.
# Default: no
IndividualCalls={{ firewalld.IndividualCalls|default('no') }}
{%- endif %}
{%- if firewalld.get('LogDenied', False) %}

# LogDenied
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
# and OUTPUT chains for the default rules and also final reject and drop rules
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
# Default: off
LogDenied={{ firewalld.LogDenied|default('off') }}
{%- endif %}
{%- if firewalld.get('AutomaticHelpers', False) %}

# AutomaticHelpers
# For the secure use of iptables and connection tracking helpers it is
# recommended to turn AutomaticHelpers off. But this might have side effects on
# other services using the netfilter helpers as the sysctl setting in
# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
# With the system setting, the default value set in the kernel or with sysctl
# will be used. Possible values are: yes, no and system.
# Default: system
AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}
{%- endif %}
{%- if firewalld.get('FirewallBackend', False) %}

# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
#	- nftables (default)
#	- iptables (iptables, ip6tables, ebtables and ipset)
FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}
{%- endif %}
{%- if firewalld.get('FlushAllOnReload', False) %}

# FlushAllOnReload
# Flush all runtime rules on a reload. In previous releases some runtime
# configuration was retained during a reload, namely; interface to zone
# assignment, and direct rules. This was confusing to users. To get the old
# behavior set this to "no".
# Default: yes
FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}
{%- endif %}
{%- if firewalld.get('RFC3964_IPv4', False) %}

# RFC3964_IPv4
# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
# correspond to IPv4 addresses that should not be routed over the public
# internet.
# Defaults to "yes".
RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}
{%- endif %}