{% set firewalld = pillar.get('firewalld', {}) -%} # # This file is managed/generated by salt. # Do not edit this file manually, it will be overwritten! # Modify the salt pillar for firewalld instead # # firewalld config file # default zone # The default zone used if an empty zone string is used. # Default: public DefaultZone={{ firewalld.default_zone|default('public') }} # Minimal mark # Marks up to this minimum are free for use for example in the direct # interface. If more free marks are needed, increase the minimum # Default: 100 MinimalMark={{ firewalld.minimal_mark|default('100') }} # Clean up on exit # If set to no or false the firewall configuration will not get cleaned up # on exit or stop of firewalld # Default: yes CleanupOnExit={{ firewalld.cleanup_on_exit|default('yes') }} # Lockdown # If set to enabled, firewall changes with the D-Bus interface will be limited # to applications that are listed in the lockdown whitelist. # The lockdown whitelist file is lockdown-whitelist.xml # Default: no Lockdown={{ firewalld.lockdown|default('no') }} # IPv6_rpfilter # Performs a reverse path filter test on a packet for IPv6. If a reply to the # packet would be sent via the same interface that the packet arrived on, the # packet will match and be accepted, otherwise dropped. # The rp_filter for IPv4 is controlled using sysctl. # Default: yes IPv6_rpfilter={{ firewalld.IPv6_rpfilter|default('yes') }} {%- if firewalld.get('IndividualCalls', False) %} # IndividualCalls # Do not use combined -restore calls, but individual calls. This increases the # time that is needed to apply changes and to start the daemon, but is good for # debugging. # Default: no IndividualCalls={{ firewalld.IndividualCalls|default('no') }} {%- endif %} {%- if firewalld.get('LogDenied', False) %} # LogDenied # Add logging rules right before reject and drop rules in the INPUT, FORWARD # and OUTPUT chains for the default rules and also final reject and drop rules # in zones. Possible values are: all, unicast, broadcast, multicast and off. # Default: off LogDenied={{ firewalld.LogDenied|default('off') }} {%- endif %} {%- if firewalld.get('AutomaticHelpers', False) %} # AutomaticHelpers # For the secure use of iptables and connection tracking helpers it is # recommended to turn AutomaticHelpers off. But this might have side effects on # other services using the netfilter helpers as the sysctl setting in # /proc/sys/net/netfilter/nf_conntrack_helper will be changed. # With the system setting, the default value set in the kernel or with sysctl # will be used. Possible values are: yes, no and system. # Default: system AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }} {%- endif %} {%- if firewalld.get('FirewallBackend', False) %} # FirewallBackend # Selects the firewall backend implementation. # Choices are: # - nftables (default) # - iptables (iptables, ip6tables, ebtables and ipset) FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }} {%- endif %} {%- if firewalld.get('FlushAllOnReload', False) %} # FlushAllOnReload # Flush all runtime rules on a reload. In previous releases some runtime # configuration was retained during a reload, namely; interface to zone # assignment, and direct rules. This was confusing to users. To get the old # behavior set this to "no". # Default: yes FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }} {%- endif %} {%- if firewalld.get('RFC3964_IPv4', False) %} # RFC3964_IPv4 # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that # correspond to IPv4 addresses that should not be routed over the public # internet. # Defaults to "yes". RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }} {%- endif %}