ansible.nftables/defaults/main.yml

---
# defaults file for nftables

# packages
nft_pkg_manage: true
nft_pkg_state: 'installed'

# files
nft_conf_dir_path: '/etc/nftables.d'
nft_main_conf_path: '/etc/nftables.conf'
nft_main_conf_content: 'etc/nftables.conf.j2'
nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft'
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
nft_define_conf_path: '{{ nft_conf_dir_path }}/defines.nft'
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'

# rules
nft_global_default_rules:
  005 state management:
    - ct state established,related accept
    - ct state invalid drop
nft_global_group_rules: {}
nft_global_host_rules: {}

nft_input_default_rules:
  000 policy:
    - type filter hook input priority 0; policy drop;
  005 global:
    - jump global
  010 drop unwanted:
    - ip daddr @blackhole counter drop
  015 localhost:
    - iif lo accept
  200 input udp accepted:
    - udp dport @input_udp_accept ct state new accept
  210 input tcp accepted:
    - tcp dport @input_tcp_accept ct state new accept
nft_input_group_rules: {}
nft_input_host_rules: {}

nft_output_default_rules:
  000 policy:
    - type filter hook output priority 0; policy drop;
  005 global:
    - jump global
  015 localhost:
    - oif lo accept
  050 icmp:
    - ip protocol icmp accept
  200 output udp accepted:
    - udp dport @output_udp_accept ct state new accept
  210 output tcp accepted:
    - tcp dport @output_tcp_accept ct state new accept
nft_output_group_rules: {}
nft_output_host_rules: {}

# define nft vars
nft_define_default:
  broadcast and multicast:
    desc: 'broadcast and multicast'
    name: badcast_addr
    value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
  input tcp accepted:
    name: input_tcp_accept
    value: '{ ssh }'
  input udp accepted:
    name: input_udp_accept
    value: 'none'
  output tcp accepted:
    name: output_tcp_accept
    value: '{ http, https, hkp }'
  output udp accepted:
    name: output_udp_accept
    value: '{ bootps, domain, ntp }'
nft_define_group: {}
nft_define_host: {}

# sets and maps
nft_set_default:
  blackhole:
    - type ipv4_addr;
    - elements = $badcast_addr
  input_tcp_accept:
    - type inet_service; flags interval;
    - elements = $input_tcp_accept
  input_udp_accept:
    - type inet_service; flags interval;
  output_tcp_accept:
    - type inet_service; flags interval;
    - elements = $output_tcp_accept
  output_udp_accept:
    - type inet_service; flags interval;
    - elements = $output_udp_accept
nft_set_group: {}
nft_set_host: {}

# service
nft_service_manage: true
nft_service_name: 'nftables'
nft_service_enabled: true
Install nftables. 2017-08-07 12:09:13 +02:00			`---`
			`# defaults file for nftables`

			`# packages`
Generate main configuration file. 2017-08-07 13:48:54 +02:00			`nft_pkg_manage: true`
			`nft_pkg_state: 'installed'`

Manage nftables service at startup. 2017-08-09 14:27:07 +02:00			`# files`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`nft_conf_dir_path: '/etc/nftables.d'`
Generate main configuration file. 2017-08-07 13:48:54 +02:00			`nft_main_conf_path: '/etc/nftables.conf'`
			`nft_main_conf_content: 'etc/nftables.conf.j2'`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft'`
Use 'ip' family as default for the firewall table. 2017-08-09 11:18:49 +02:00			`nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'`
Use 'ip' family as default for the firewall table. 2017-08-09 11:18:49 +02:00			`nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`nft_define_conf_path: '{{ nft_conf_dir_path }}/defines.nft'`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00			`nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'`
Use 'ip' family as default for the firewall table. 2017-08-09 11:18:49 +02:00			`nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'`
Notify `nftables` service when configuration file is modified. 2017-08-07 14:14:14 +02:00
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00			`# rules`
			`nft_global_default_rules:`
Define new sets and vars for output to avoid multiple redifinition of the dicts. 2017-08-09 14:56:20 +02:00			`005 state management:`
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00			`- ct state established,related accept`
			`- ct state invalid drop`
			`nft_global_group_rules: {}`
			`nft_global_host_rules: {}`
Allow SSH input by default. 2017-08-08 14:53:29 +02:00
Manage input rule with dict. 2017-08-07 17:41:03 +02:00			`nft_input_default_rules:`
			`000 policy:`
			`- type filter hook input priority 0; policy drop;`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00			`005 global:`
Manage input rule with dict. 2017-08-07 17:41:03 +02:00			`- jump global`
Block all input packets destinate to blackhole set by default. 2017-08-08 14:37:54 +02:00			`010 drop unwanted:`
			`- ip daddr @blackhole counter drop`
Allow localhost traffic. 2017-08-09 11:05:00 +02:00			`015 localhost:`
			`- iif lo accept`
Define new sets and vars for input connections. 2017-08-09 17:14:26 +02:00			`200 input udp accepted:`
			`- udp dport @input_udp_accept ct state new accept`
			`210 input tcp accepted:`
			`- tcp dport @input_tcp_accept ct state new accept`
Manage input rule with dict. 2017-08-07 17:41:03 +02:00			`nft_input_group_rules: {}`
			`nft_input_host_rules: {}`
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00			`nft_output_default_rules:`
			`000 policy:`
Set output default policy to drop and allow DNS request. 2017-08-09 10:34:29 +02:00			`- type filter hook output priority 0; policy drop;`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00			`005 global:`
			`- jump global`
Allow localhost traffic. 2017-08-09 11:05:00 +02:00			`015 localhost:`
			`- oif lo accept`
Allow outgoing icmp. 2017-08-09 16:04:54 +02:00			`050 icmp:`
			`- ip protocol icmp accept`
Define new sets and vars for output to avoid multiple redifinition of the dicts. 2017-08-09 14:56:20 +02:00			`200 output udp accepted:`
			`- udp dport @output_udp_accept ct state new accept`
			`210 output tcp accepted:`
			`- tcp dport @output_tcp_accept ct state new accept`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00			`nft_output_group_rules: {}`
			`nft_output_host_rules: {}`

Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00			`# define nft vars`
			`nft_define_default:`
			`broadcast and multicast:`
			`desc: 'broadcast and multicast'`
			`name: badcast_addr`
			`value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'`
Define new sets and vars for input connections. 2017-08-09 17:14:26 +02:00			`input tcp accepted:`
			`name: input_tcp_accept`
			`value: '{ ssh }'`
			`input udp accepted:`
			`name: input_udp_accept`
			`value: 'none'`
Define new sets and vars for output to avoid multiple redifinition of the dicts. 2017-08-09 14:56:20 +02:00			`output tcp accepted:`
			`name: output_tcp_accept`
Allow outgoing OpenPGP HTTP requests. 2017-08-11 13:46:50 +02:00			`value: '{ http, https, hkp }'`
Define new sets and vars for output to avoid multiple redifinition of the dicts. 2017-08-09 14:56:20 +02:00			`output udp accepted:`
			`name: output_udp_accept`
			`value: '{ bootps, domain, ntp }'`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00			`nft_define_group: {}`
			`nft_define_host: {}`
Allow SSH input by default. 2017-08-08 14:53:29 +02:00
Define new sets and vars for output to avoid multiple redifinition of the dicts. 2017-08-09 14:56:20 +02:00			`# sets and maps`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00			`nft_set_default:`
			`blackhole:`
			`- type ipv4_addr;`
			`- elements = $badcast_addr`
Define new sets and vars for input connections. 2017-08-09 17:14:26 +02:00			`input_tcp_accept:`
			`- type inet_service; flags interval;`
			`- elements = $input_tcp_accept`
			`input_udp_accept:`
			`- type inet_service; flags interval;`
Define new sets and vars for output to avoid multiple redifinition of the dicts. 2017-08-09 14:56:20 +02:00			`output_tcp_accept:`
			`- type inet_service; flags interval;`
			`- elements = $output_tcp_accept`
			`output_udp_accept:`
			`- type inet_service; flags interval;`
			`- elements = $output_udp_accept`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00			`nft_set_group: {}`
			`nft_set_host: {}`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00
Notify `nftables` service when configuration file is modified. 2017-08-07 14:14:14 +02:00			`# service`
			`nft_service_manage: true`
			`nft_service_name: 'nftables'`
Manage nftables service at startup. 2017-08-09 14:27:07 +02:00			`nft_service_enabled: true`