ansible/roles/nftables/defaults/main.yaml

90 lines
2.0 KiB
YAML

---
# nftables_ufw_package_name: ufw
# nftables_ufw_package_state: absent
# nftables_package_name: nftables
# nftables_package_state: present
# nftables_service_name: nftables
# nftables_service_state: started
# nftables_service_enabled: true
# nftables_config_path: /etc/nftables.conf
nftables_builtin_defines:
REQUIRED_ICMPV6_TYPES:
- 1-4
- 130-136
- 141-143
- 148-149
- 151-153
TRACEROUTE_UDP_PORTS: 33434-33534
nftables_builtin_sets:
blackhole4:
- type ipv4_addr
- flags interval
blackhole6:
- type ipv6_addr
- flags interval
tcp_input_accept:
- type inet_service
- flags interval
- elements = { ssh }
udp_input_accept:
- type inet_service
- flags interval
nftables_input_builtin_rules:
'000 policy':
- type filter hook input priority filter; policy drop;
'010 blackhole':
- ip saddr @blackhole4 drop
- ip6 saddr @blackhole6 drop
'020 related established':
- ct state established,related accept
- ct state invalid drop
'030 loopback':
- iifname "lo" accept
'040 icmp':
- icmpv6 type $REQUIRED_ICMPV6_TYPES accept
- icmpv6 type echo-request accept
- icmp type echo-request accept
'050 tcp accept':
- tcp dport @tcp_input_accept accept
'060 udp accept':
- udp dport @udp_input_accept accept
'999 traceroute':
# this should be last because these ports could be allowed
- udp dport $TRACEROUTE_UDP_PORTS reject
nftables_forward_builtin_rules:
'000 policy':
- type filter hook forward priority filter; policy drop;
'010 related established':
- ct state { established, related } accept
nftables_output_builtin_rules:
'000 policy':
- type filter hook output priority filter; policy accept;
'010 blackhole':
- ip daddr @blackhole4 drop
- ip6 daddr @blackhole6 drop
'020 related established':
- ct state { established, related } accept
nftables_defines:
{}
nftables_sets:
{}
nftables_input_rules:
{}
nftables_forward_rules:
{}
nftables_output_rules:
{}