cellinfo
/
ansible.nftables
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Allow DHCP communication by default.

This commit is contained in:
Jeremy Gardais 2017-08-09 10:49:03 +02:00
parent e018e439bb
commit 9ba41af525
2 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -76,7 +76,9 @@ nft_input_default_rules:
- jump global - jump global
010 drop unwanted: 010 drop unwanted:
- ip daddr @blackhole counter drop - ip daddr @blackhole counter drop
022 ssh: 040 dhcp:
- udp sport bootps udp dport bootpc limit rate 6/minute accept
220 ssh:
- tcp dport ssh ct state new counter accept - tcp dport ssh ct state new counter accept
nft_input_group_rules: {} nft_input_group_rules: {}
nft_input_host_rules: {} nft_input_host_rules: {}
@ -86,8 +88,10 @@ nft_output_default_rules:
- type filter hook output priority 0; policy drop; - type filter hook output priority 0; policy drop;
005 global: 005 global:
- jump global - jump global
040 dhcp:
- udp sport bootpc udp dport bootps limit rate 6/minute accept
050 domain: 050 domain:
- udp dport domain ct state new counter accept - udp dport domain ct state new accept
nft_output_group_rules: {} nft_output_group_rules: {}
nft_output_host_rules: {} nft_output_host_rules: {}
@ -147,13 +151,15 @@ table inet firewall {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
jump global jump global
ip daddr @blackhole counter packets 3 bytes 204 drop ip daddr @blackhole counter packets 3 bytes 204 drop
udp sport bootps udp dport bootpc limit rate 6/minute accept
tcp dport ssh ct state new counter packets 0 bytes 0 accept tcp dport ssh ct state new counter packets 0 bytes 0 accept
} }
chain output { chain output {
type filter hook output priority 0; policy drop; type filter hook output priority 0; policy drop;
jump global jump global
udp dport domain ct state new counter packets 0 bytes 0 accept udp sport bootpc udp dport bootps limit rate 6/minute accept
udp dport domain ct state new packets 0 bytes 0 accept
} }
} }
``` ```

8
defaults/main.yml
View File

@ -32,7 +32,9 @@ nft_input_default_rules:
- jump global - jump global
010 drop unwanted: 010 drop unwanted:
- ip daddr @blackhole counter drop - ip daddr @blackhole counter drop
022 ssh: 040 dhcp:
- udp sport bootps udp dport bootpc limit rate 6/minute accept
220 ssh:
- tcp dport ssh ct state new counter accept - tcp dport ssh ct state new counter accept
nft_input_group_rules: {} nft_input_group_rules: {}
nft_input_host_rules: {} nft_input_host_rules: {}
@ -42,8 +44,10 @@ nft_output_default_rules:
- type filter hook output priority 0; policy drop; - type filter hook output priority 0; policy drop;
005 global: 005 global:
- jump global - jump global
040 dhcp:
- udp sport bootpc udp dport bootps limit rate 6/minute accept
050 domain: 050 domain:
- udp dport domain ct state new counter accept - udp dport domain ct state new accept
nft_output_group_rules: {} nft_output_group_rules: {}
nft_output_host_rules: {} nft_output_host_rules: {}