Compare commits
No commits in common. "4540766d8000efc33e70dd857eb0e052da71c854" and "4ddd1ed43904fb53ef6d360d934daff152d620bc" have entirely different histories.
4540766d80
...
4ddd1ed439
@ -39,19 +39,10 @@ firewall_ulogd_package_name: ulogd2
|
|||||||
firewall_ulogd_service_name: ulogd2.service
|
firewall_ulogd_service_name: ulogd2.service
|
||||||
firewall_ulogd_config_path: /etc/ulogd.conf
|
firewall_ulogd_config_path: /etc/ulogd.conf
|
||||||
firewall_ulogd_nflog_group: 1
|
firewall_ulogd_nflog_group: 1
|
||||||
|
firewall_ulogd_syslog_facility: LOG_LOCAL0
|
||||||
|
firewall_ulogd_syslog_level: LOG_INFO
|
||||||
|
|
||||||
# debug(1), info(3), notice(5), error(7) or fatal(8) (default 5)
|
firewall_iptables_nflog_group: 2
|
||||||
firewall_ulogd_log_level: 3
|
|
||||||
|
|
||||||
firewall_ulogd_packet_mode_enabled: yes
|
|
||||||
firewall_ulogd_packet_mode_syslog_facility: LOG_LOCAL0
|
|
||||||
firewall_ulogd_packet_mode_syslog_level: LOG_INFO
|
|
||||||
|
|
||||||
firewall_ulogd_flow_mode_enabled: yes
|
|
||||||
firewall_ulogd_flow_mode_syslog_facility: LOG_LOCAL1
|
|
||||||
firewall_ulogd_flow_mode_syslog_level: LOG_INFO
|
|
||||||
|
|
||||||
firewall_iptables_nflog_group: 1
|
|
||||||
|
|
||||||
firewall_drop_icmp_flood: true
|
firewall_drop_icmp_flood: true
|
||||||
firewall_limit_icmp_flood_seconds: 1
|
firewall_limit_icmp_flood_seconds: 1
|
||||||
@ -73,8 +64,6 @@ firewall_limit_ssh_hitcount: 10
|
|||||||
|
|
||||||
firewall_bogon_interface: "{{ ansible_default_ipv4.interface }}"
|
firewall_bogon_interface: "{{ ansible_default_ipv4.interface }}"
|
||||||
|
|
||||||
firewall_ssh_whitelist: {}
|
|
||||||
|
|
||||||
# ipset's
|
# ipset's
|
||||||
firewall_ipset_cooloff_timeout: 600
|
firewall_ipset_cooloff_timeout: 600
|
||||||
|
|
||||||
|
@ -50,18 +50,12 @@
|
|||||||
|
|
||||||
-A INPUT -i lo -m comment --comment "lo accept all inet6" -j ACCEPT
|
-A INPUT -i lo -m comment --comment "lo accept all inet6" -j ACCEPT
|
||||||
|
|
||||||
{% if firewall_ssh_whitelist.v6 %}
|
-A INPUT -m state --state INVALID -m comment --comment "drop invalid inet6" -j DROP
|
||||||
{% for ip in firewall_ssh_whitelist.v6 %}
|
|
||||||
-A INPUT -p tcp -m tcp --dport 22 --source {{ ip }} -m comment --comment "accept {{ ip }} ssh 22/tcp6" -j ACCEPT
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if firewall_ipset_mgmt.v6 is defined %}
|
{% if firewall_ipset_mgmt.v6 is defined %}
|
||||||
-A INPUT -p tcp -m tcp --dport 22 -m set --match-set mgmt_v6 src -m comment --comment "accept mgmt ssh 22/tcp6" -j ACCEPT
|
-A INPUT -p tcp -m tcp --dport 22 -m set --match-set mgmt_v6 src -m comment --comment "accept mgmt ssh 22/tcp6" -j ACCEPT
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
-A INPUT -m state --state INVALID -m comment --comment "drop invalid inet6" -j DROP
|
|
||||||
|
|
||||||
{% if firewall_ipset_blacklist.v6 is defined %}
|
{% if firewall_ipset_blacklist.v6 is defined %}
|
||||||
-A INPUT -m set --match-set mgmt_v6 src -m comment --comment "drop blacklist inet6" -j LOG_DROP
|
-A INPUT -m set --match-set mgmt_v6 src -m comment --comment "drop blacklist inet6" -j LOG_DROP
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -50,18 +50,12 @@
|
|||||||
|
|
||||||
-A INPUT -i lo -m comment --comment "lo accept all" -j ACCEPT
|
-A INPUT -i lo -m comment --comment "lo accept all" -j ACCEPT
|
||||||
|
|
||||||
{% if firewall_ssh_whitelist.v4 %}
|
-A INPUT -m state --state INVALID -m comment --comment "drop invalid" -j DROP
|
||||||
{% for ip in firewall_ssh_whitelist.v4 %}
|
|
||||||
-A INPUT -p tcp -m tcp --dport 22 --source {{ ip }} -m comment --comment "accept {{ ip }} ssh 22/tcp" -j ACCEPT
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if firewall_ipset_mgmt.v4 is defined %}
|
{% if firewall_ipset_mgmt.v4 is defined %}
|
||||||
-A INPUT -p tcp -m tcp --dport 22 -m set --match-set mgmt_v4 src -m comment --comment "accept mgmt ssh 22/tcp" -j ACCEPT
|
-A INPUT -p tcp -m tcp --dport 22 -m set --match-set mgmt_v4 src -m comment --comment "accept mgmt ssh 22/tcp" -j ACCEPT
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
-A INPUT -m state --state INVALID -m comment --comment "drop invalid" -j DROP
|
|
||||||
|
|
||||||
{% if firewall_ipset_blacklist.v4 is defined %}
|
{% if firewall_ipset_blacklist.v4 is defined %}
|
||||||
-A INPUT -m set --match-set mgmt_v4 src -m comment --comment "drop blacklist" -j LOG_DROP
|
-A INPUT -m set --match-set mgmt_v4 src -m comment --comment "drop blacklist" -j LOG_DROP
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
[global]
|
[global]
|
||||||
|
|
||||||
# logfile for status messages
|
# logfile for status messages
|
||||||
logfile="syslog"
|
#logfile="syslog"
|
||||||
|
|
||||||
# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5)
|
# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5)
|
||||||
loglevel={{ firewall_ulogd_loglevel | default(3) }}
|
#loglevel=3
|
||||||
|
|
||||||
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
|
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
|
||||||
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
|
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
|
||||||
@ -15,31 +15,12 @@ plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
|
|||||||
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
|
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
|
||||||
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
|
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
|
||||||
|
|
||||||
{% if firewall_ulogd_packet_mode_enabled %}
|
# this is a stack for logging packets to syslog after a collect via NFLOG
|
||||||
stack=packet:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,syslog-packet:SYSLOG
|
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
|
||||||
{% endif %}
|
|
||||||
{% if firewall_ulogd_flow_mode_enabled %}
|
|
||||||
stack=flow:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,syslog-flow:SYSLOG
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if firewall_ulogd_packet_mode_enabled %}
|
[log1]
|
||||||
[packet]
|
group={{ firewall_ulogd_nflog_group | default(0) }}
|
||||||
group={{ firewall_ulogd_nflog_group | default(1) }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if firewall_ulogd_flow_mode_enabled %}
|
[sys1]
|
||||||
[flow]
|
facility={{ firewall_ulogd_syslog_facility | default("LOG_LOCAL0") }}
|
||||||
#group={{ firewall_ulogd_nflog_group | default(1) }}
|
level={{ firewall_ulogd_syslog_level | default("LOG_INFO") }}
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if firewall_ulogd_packet_mode_enabled %}
|
|
||||||
[syslog-packet]
|
|
||||||
facility={{ firewall_ulogd_packet_mode_syslog_facility | default("LOG_LOCAL0") }}
|
|
||||||
level={{ firewall_ulogd_packet_mode_syslog_level | default("LOG_INFO") }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if firewall_ulogd_flow_mode_enabled %}
|
|
||||||
[syslog-flow]
|
|
||||||
facility={{ firewall_ulogd_flow_mode_syslog_facility | default("LOG_LOCAL1") }}
|
|
||||||
level={{ firewall_ulogd_flow_mode_syslog_level | default("LOG_INFO") }}
|
|
||||||
{% endif %}
|
|
||||||
|
Loading…
Reference in New Issue
Block a user