2014-08-23 16:44:48 +02:00
|
|
|
{% set firewalld = pillar.get('firewalld', {}) -%}
|
2017-05-25 23:51:04 +02:00
|
|
|
#
|
|
|
|
# This file is managed/generated by salt.
|
|
|
|
# Do not edit this file manually, it will be overwritten!
|
|
|
|
# Modify the salt pillar for firewalld instead
|
|
|
|
#
|
2014-08-23 16:44:48 +02:00
|
|
|
# firewalld config file
|
|
|
|
|
|
|
|
# default zone
|
|
|
|
# The default zone used if an empty zone string is used.
|
|
|
|
# Default: public
|
|
|
|
DefaultZone={{ firewalld.default_zone|default('public') }}
|
|
|
|
|
|
|
|
# Minimal mark
|
|
|
|
# Marks up to this minimum are free for use for example in the direct
|
|
|
|
# interface. If more free marks are needed, increase the minimum
|
|
|
|
# Default: 100
|
|
|
|
MinimalMark={{ firewalld.minimal_mark|default('100') }}
|
|
|
|
|
|
|
|
# Clean up on exit
|
|
|
|
# If set to no or false the firewall configuration will not get cleaned up
|
|
|
|
# on exit or stop of firewalld
|
|
|
|
# Default: yes
|
|
|
|
CleanupOnExit={{ firewalld.cleanup_on_exit|default('yes') }}
|
|
|
|
|
|
|
|
# Lockdown
|
|
|
|
# If set to enabled, firewall changes with the D-Bus interface will be limited
|
|
|
|
# to applications that are listed in the lockdown whitelist.
|
|
|
|
# The lockdown whitelist file is lockdown-whitelist.xml
|
|
|
|
# Default: no
|
|
|
|
Lockdown={{ firewalld.lockdown|default('no') }}
|
|
|
|
|
|
|
|
# IPv6_rpfilter
|
|
|
|
# Performs a reverse path filter test on a packet for IPv6. If a reply to the
|
|
|
|
# packet would be sent via the same interface that the packet arrived on, the
|
|
|
|
# packet will match and be accepted, otherwise dropped.
|
|
|
|
# The rp_filter for IPv4 is controlled using sysctl.
|
|
|
|
# Default: yes
|
|
|
|
IPv6_rpfilter={{ firewalld.IPv6_rpfilter|default('yes') }}
|
2016-09-19 16:02:35 +02:00
|
|
|
{%- if firewalld.get('IndividualCalls', False) %}
|
|
|
|
|
|
|
|
# IndividualCalls
|
|
|
|
# Do not use combined -restore calls, but individual calls. This increases the
|
|
|
|
# time that is needed to apply changes and to start the daemon, but is good for
|
|
|
|
# debugging.
|
|
|
|
# Default: no
|
|
|
|
IndividualCalls={{ firewalld.IndividualCalls|default('no') }}
|
|
|
|
{%- endif %}
|
|
|
|
{%- if firewalld.get('LogDenied', False) %}
|
|
|
|
|
|
|
|
# LogDenied
|
|
|
|
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
|
|
|
|
# and OUTPUT chains for the default rules and also final reject and drop rules
|
|
|
|
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
|
|
|
|
# Default: off
|
|
|
|
LogDenied={{ firewalld.LogDenied|default('off') }}
|
|
|
|
{%- endif %}
|
2018-08-12 20:26:21 +02:00
|
|
|
{%- if firewalld.get('AutomaticHelpers', False) %}
|
2018-08-14 19:52:08 +02:00
|
|
|
|
2018-08-12 20:26:21 +02:00
|
|
|
# AutomaticHelpers
|
|
|
|
# For the secure use of iptables and connection tracking helpers it is
|
|
|
|
# recommended to turn AutomaticHelpers off. But this might have side effects on
|
|
|
|
# other services using the netfilter helpers as the sysctl setting in
|
|
|
|
# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
|
|
|
|
# With the system setting, the default value set in the kernel or with sysctl
|
|
|
|
# will be used. Possible values are: yes, no and system.
|
|
|
|
# Default: system
|
|
|
|
AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}
|
|
|
|
{%- endif %}
|
|
|
|
{%- if firewalld.get('FirewallBackend', False) %}
|
2018-08-14 19:52:08 +02:00
|
|
|
|
2018-08-12 20:26:21 +02:00
|
|
|
# FirewallBackend
|
|
|
|
# Selects the firewall backend implementation.
|
|
|
|
# Choices are:
|
|
|
|
# - nftables (default)
|
|
|
|
# - iptables (iptables, ip6tables, ebtables and ipset)
|
|
|
|
FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}
|
|
|
|
{%- endif %}
|
2019-09-15 22:01:15 +02:00
|
|
|
{%- if firewalld.get('FlushAllOnReload', False) %}
|
|
|
|
|
|
|
|
# FlushAllOnReload
|
|
|
|
# Flush all runtime rules on a reload. In previous releases some runtime
|
|
|
|
# configuration was retained during a reload, namely; interface to zone
|
|
|
|
# assignment, and direct rules. This was confusing to users. To get the old
|
|
|
|
# behavior set this to "no".
|
|
|
|
# Default: yes
|
|
|
|
FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}
|
|
|
|
{%- endif %}
|
|
|
|
{%- if firewalld.get('RFC3964_IPv4', False) %}
|
|
|
|
|
|
|
|
# RFC3964_IPv4
|
|
|
|
# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
|
|
|
|
# correspond to IPv4 addresses that should not be routed over the public
|
|
|
|
# internet.
|
|
|
|
# Defaults to "yes".
|
|
|
|
RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}
|
|
|
|
{%- endif %}
|
2020-10-24 08:08:04 +02:00
|
|
|
{%- if firewalld.get('AllowZoneDrifting', False) %}
|
|
|
|
|
|
|
|
# AllowZoneDrifting
|
|
|
|
# Older versions of firewalld had undocumented behavior known as "zone
|
|
|
|
# drifting". This allowed packets to ingress multiple zones - this is a
|
|
|
|
# violation of zone based firewalls. However, some users rely on this behavior
|
|
|
|
# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
|
|
|
|
# desire such behavior. It's disabled by default for security reasons. Note: If
|
|
|
|
# "yes" packets will only drift from source based zones to interface based
|
|
|
|
# zones (including the default zone). Packets never drift from interface based
|
|
|
|
# zones to other interfaces based zones (including the default zone). Valid
|
|
|
|
# values; "yes", "no".
|
|
|
|
# Defaults to "no".
|
|
|
|
AllowZoneDrifting={{ firewalld.AllowZoneDrifting|default('no') }}
|
|
|
|
{%- endif %}
|