Saltstack Official UFW Formula

ufw.default.tmpl.jinja 2.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354
  1. ########################################################################
  2. # File managed by Salt at <{{ source }}>.
  3. # Your changes will be overwritten.
  4. ########################################################################
  5. {%- set ipv6 = "yes" if ufw_settings.get('ipv6', True) else "no" %}
  6. {%- set default_input_policy = ufw_settings.get('default_input_policy', 'DROP') %}
  7. {%- set default_output_policy = ufw_settings.get('default_output_policy', 'ACCEPT') %}
  8. {%- set default_forward_policy = ufw_settings.get('default_forward_policy', 'DROP') %}
  9. {%- set default_application_policy = ufw_settings.get('default_application_policy', 'SKIP') %}
  10. {%- set manage_builtins = "yes" if ufw_settings.get('manage_builtins', False) else "no" %}
  11. {%- set ipt_sysctl = ufw_settings.get('ipt_sysctl', '/etc/ufw/sysctl.conf') %}
  12. {%- set ipt_modules = ufw_settings.get('ipt_modules', ['nf_conntrack_ftp', 'nf_nat_ftp', 'nf_conntrack_netbios_ns'])|join(" ") %}
  13. # Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
  14. # accepted). You will need to 'disable' and then 'enable' the firewall for
  15. # the changes to take affect.
  16. IPV6={{ ipv6 }}
  17. # Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
  18. # you change this you will most likely want to adjust your rules.
  19. DEFAULT_INPUT_POLICY="{{ default_input_policy }}"
  20. # Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
  21. # you change this you will most likely want to adjust your rules.
  22. DEFAULT_OUTPUT_POLICY="{{ default_output_policy }}"
  23. # Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
  24. # if you change this you will most likely want to adjust your rules
  25. DEFAULT_FORWARD_POLICY="{{ default_forward_policy }}"
  26. # Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
  27. # note that setting this to ACCEPT may be a security risk. See 'man ufw' for
  28. # details
  29. DEFAULT_APPLICATION_POLICY="{{ default_application_policy }}"
  30. # By default, ufw only touches its own chains. Set this to 'yes' to have ufw
  31. # manage the built-in chains too. Warning: setting this to 'yes' will break
  32. # non-ufw managed firewall rules
  33. MANAGE_BUILTINS={{ manage_builtins }}
  34. #
  35. # IPT backend
  36. #
  37. # only enable if using iptables backend
  38. IPT_SYSCTL={{ ipt_sysctl }}
  39. # Extra connection tracking modules to load. Complete list can be found in
  40. # net/netfilter/Kconfig of your kernel source. Some common modules:
  41. # nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
  42. # nf_conntrack_netbios_ns: NetBIOS (samba) client support
  43. # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
  44. # nf_conntrack_ftp, nf_nat_ftp: active FTP support
  45. # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
  46. IPT_MODULES="{{ ipt_modules }}"