--- # .. vim: foldmarker=[[[,]]]:foldmethod=marker # # ipr-cnrs.nftables default variables [[[ # ======================================= # Packages and installation [[[ # ----------------------------- # .. envvar:: nft_enabled [[[ # # Enable or disable support for Nftables on a given host. Disabling this # option does not remove existing installation and configuration. # nft_enabled: true # ]]] # .. envvar:: nft_pkg_state [[[ # # What is the desired state for Nftables packages ? Possible options : # # ``present`` # Default. Nftables packages will be installed. # # ``absent`` # Ensure to remove Nftables related packages. nft_pkg_state: 'present' # ]]] # .. envvar:: nft_old_pkg_list [[[ # # List of old Iptables packages to remove to avoid duplicate firewall. # nft_old_pkg_list: - 'iptables' - 'libiptc0' # ]]] # .. envvar:: nft_old_pkg_state [[[ # # What is the desired state for Iptables packages ? Possible options : # # ``absent`` # Default. Ensure to remove Iptables related packages. # # ``present`` # Iptables packages will be kept. nft_old_pkg_state: 'absent' # ]]] # .. envvar:: nft_old_pkg_manage [[[ # # If the old Iptables packages should be managed ? Possible options : # # ``true`` # Default. Ensure to apply the required state for Iptables related packages. # # ``false`` # Iptables packages will not be touched. nft_old_pkg_manage: true # ]]] # ]]] # Nftables global rules [[[ # ------------------------- # .. envvar:: nft_global_default_rules [[[ # # List of global rules (applied on all tables) to configure for all hosts # inherited from this role. nft_global_default_rules: 005 state management: - ct state established,related accept - ct state invalid drop # ]]] # .. envvar:: nft_global_rules [[[ # # List of global rules (applied on all tables) to configure for all hosts # in the Ansible inventory. nft_global_rules: {} # ]]] # .. envvar:: nft_merged_groups [[[ # # Enable or disable the ability to merge multiple firewall group variables nft_merged_groups: false # ]]] # .. envvar:: nft_merged_groups_dir [[[ # # The directory to read the group firewall rules from. # Relative to the playbook directory. nft_merged_groups_dir: vars/ # ]]] # .. envvar:: nft_global_group_rules [[[ # # List of global rules (applied on all tables) to configure for hosts in # specific Ansible inventory group. nft_global_group_rules: {} # ]]] # .. envvar:: nft_global_host_rules [[[ # # List of global rules (applied on all tables) to configure for specific hosts # in the Ansible inventory. nft_global_host_rules: {} # ]]] # .. envvar:: nft__custom_content [[[ # # Custom content (tables, include,…) to add in Nftables configuration. nft__custom_content: '' # ]]] # .. envvar:: nft_conf_dir_path [[[ # # Path to the sub directory for Nftables configuration files. # # Should be an absolut path and this var will be used in all *_path vars. nft_conf_dir_path: '/etc/nftables.d' # ]]] # .. envvar:: nft_main_conf_path [[[ # # Path to the main configuration file called by the Systemd Nftables service. # # Should be an absolut path. nft_main_conf_path: '/etc/nftables.conf' # ]]] # .. envvar:: nft_main_conf_content [[[ # # Template used to provide the previous main configuration file. # # Must be a relative path from default/ directory of this role or from your # Ansible inventory directory. nft_main_conf_content: 'etc/nftables.conf.j2' # ]]] # ]]] # Nftables vars definition [[[ # ---------------------------- # # These lists allow to define some vars that can be used in nftables rules. # See the official Nftables wiki page for more informations and examples : # https://wiki.nftables.org/wiki-nftables/index.php/Scripting#Defining_variables # .. envvar:: nft_define_default [[[ # # List of vars definition to configure for all hosts inherited from this role. nft_define_default: broadcast and multicast: desc: 'broadcast and multicast' name: badcast_addr value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }' ip6 broadcast and multicast: desc: 'broadcast and multicast' name: ip6_badcast_addr value: '{ ff02::16 }' input tcp accepted: name: in_tcp_accept value: '{ ssh }' input udp accepted: name: in_udp_accept value: 'none' output tcp accepted: name: out_tcp_accept value: '{ http, https, hkp }' output udp accepted: name: out_udp_accept value: '{ bootps, domain, ntp }' # ]]] # .. envvar:: nft_define [[[ # # List of vars definition to configure for all hosts in the Ansible inventory. nft_define: {} # ]]] # .. envvar:: nft_define_group [[[ # # List of vars definition to configure for hosts in specific # Ansible inventory group. nft_define_group: {} # ]]] # .. envvar:: nft_define_host [[[ # # List of vars definition to configure for specific hosts # in the Ansible inventory. nft_define_host: {} # ]]] # .. envvar:: nft_define_conf_path [[[ # # Path to the defined vars file to include in the main configuration file # in order to use the previous defined lists. # # Should include the '{{ nft_conf_dir_path }}' var or be an absolut path. nft_define_conf_path: '{{ nft_conf_dir_path }}/defines.nft' # ]]] # .. envvar:: nft_define_conf_content [[[ # # Template used to provide the previous defined vars file. # # Must be a relative path from default/ directory of this role or from your # Ansible inventory directory. nft_define_conf_content: 'etc/nftables.d/defines.nft.j2' # ]]] # ]]] # Nftables sets definition [[[ # ---------------------------- # # These "set" lists allow to define sets that can be used in Nftables rules. # See the official Nftables wiki page for more informations and examples : # https://wiki.nftables.org/wiki-nftables/index.php/Sets # .. envvar:: nft_define_default [[[ # # List of sets to configure for all hosts inherited from this role. nft_set_default: blackhole: - type ipv4_addr; - elements = $badcast_addr ip6blackhole: - type ipv6_addr; - elements = $ip6_badcast_addr in_tcp_accept: - type inet_service; flags interval; - elements = $in_tcp_accept in_udp_accept: - type inet_service; flags interval; out_tcp_accept: - type inet_service; flags interval; - elements = $out_tcp_accept out_udp_accept: - type inet_service; flags interval; - elements = $out_udp_accept # ]]] # .. envvar:: nft_set [[[ # # List of sets to configure for all hosts in the Ansible inventory. nft_set: {} # ]]] # .. envvar:: nft_set_group [[[ # # List of sets to configure for hosts in specific Ansible inventory group. nft_set_group: {} # ]]] # .. envvar:: nft_set_host [[[ # # List of sets to configure for specific hosts in the Ansible inventory. nft_set_host: {} # ]]] # .. envvar:: nft_set_conf_path [[[ # # Path to the "sets" file to include in the main configuration file # in order to use the previous defined lists. # # Should include the '{{ nft_conf_dir_path }}' var or be an absolut path. nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft' # ]]] # .. envvar:: nft_set_conf_content [[[ # # Template used to provide the previous "sets" file. # # Must be a relative path from default/ directory of this role or from your # Ansible inventory directory. nft_set_conf_content: 'etc/nftables.d/sets.nft.j2' # ]]] # ]]] # inet filter table rules [[[ # --------------------------- # # All these rules will be set up in an inet table in order to filter the # input and output traffic. # .. envvar:: nft_input_default_rules [[[ # # List of input rules to configure for all hosts inherited from this role. nft_input_default_rules: 000 policy: - type filter hook input priority 0; policy drop; 005 global: - jump global 010 drop unwanted: - ip daddr @blackhole counter drop 011 drop unwanted ipv6: - ip6 daddr @ip6blackhole counter drop 015 localhost: - iif lo accept 050 icmp: - meta l4proto {icmp,icmpv6} accept 200 input udp accepted: - udp dport @in_udp_accept ct state new accept 210 input tcp accepted: - tcp dport @in_tcp_accept ct state new accept # ]]] # .. envvar:: nft_input_rules [[[ # # List of input rules to configure for all hosts in the Ansible inventory. nft_input_rules: {} # ]]] # .. envvar:: nft_input_group_rules [[[ # # List of input rules to configure for hosts in specific Ansible inventory group. nft_input_group_rules: {} # ]]] # .. envvar:: nft_input_host_rules [[[ # # List of input rules to configure for specific hosts in the Ansible inventory. nft_input_host_rules: {} # ]]] # .. envvar:: nft_input_conf_path [[[ # # Path to the input rules file for the filter table to include in the main # configuration file in order to use the previous defined lists. # # Should include the '{{ nft_conf_dir_path }}' var or be an absolut path. nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft' # ]]] # .. envvar:: nft_input_conf_content [[[ # # Template used to provide the previous input rules file. # # Must be a relative path from default/ directory of this role or from your # Ansible inventory directory. nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2' # ]]] # .. envvar:: nft_output_default_rules [[[ # # List of output rules to configure for all hosts inherited from this role. nft_output_default_rules: 000 policy: - type filter hook output priority 0; policy drop; 005 global: - jump global 015 localhost: - oif lo accept 050 icmp: - ip protocol icmp accept - ip6 nexthdr icmpv6 counter accept 200 output udp accepted: - udp dport @out_udp_accept ct state new accept 210 output tcp accepted: - tcp dport @out_tcp_accept ct state new accept 250 reset-ssh: # allow the host to reset SSH connections to avoid 10 min delay from Ansible controller - tcp sport ssh tcp flags { rst, psh | ack } counter accept # ]]] # .. envvar:: nft_output_rules [[[ # # List of output rules to configure for all hosts in the Ansible inventory. nft_output_rules: {} # ]]] # .. envvar:: nft_output_group_rules [[[ # # List of output rules to configure for hosts in specific Ansible inventory group. nft_output_group_rules: {} # ]]] # .. envvar:: nft_output_host_rules [[[ # # List of output rules to configure for specific hosts in the Ansible inventory. nft_output_host_rules: {} # ]]] # .. envvar:: nft_output_conf_path [[[ # # Path to the output rules file for the filter table to include in the main # configuration file in order to use the previous defined lists. # # Should include the '{{ nft_conf_dir_path }}' var or be an absolut path. nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft' # ]]] # .. envvar:: nft_output_conf_content [[[ # # Template used to provide the previous output rules file. # # Must be a relative path from default/ directory of this role or from your # Ansible inventory directory. nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2' # ]]] # ]]] # ip nat table rules [[[ # --------------------------- # # All these rules will be set up in an ip table in order to perform some # Network Address Translation (NAT). # .. envvar:: nft__nat_table_manage [[[ # # If the nat table should be managed ? Possible options are : # # ``False`` # Default. The nat table is not managed and rules will not be added. # # ``True`` # Add the pre and postrouting rules that follow. nft__nat_table_manage: False # ]]] # .. envvar:: nft__nat_default_prerouting_rules [[[ # # List of prerouting rules to configure for all hosts inherited from this role. nft__nat_default_prerouting_rules: 000 policy: - type nat hook prerouting priority 0; # ]]] # .. envvar:: nft__nat_prerouting_rules [[[ # # List of prerouting rules to configure for all hosts in the Ansible inventory. nft__nat_prerouting_rules: {} # ]]] # .. envvar:: nft__nat_group_prerouting_rules [[[ # # List of prerouting rules to configure for hosts in specific # Ansible inventory group. nft__nat_group_prerouting_rules: {} # ]]] # .. envvar:: nft__nat_host_prerouting_rules [[[ # # List of prerouting rules to configure for specific hosts # in the Ansible inventory. nft__nat_host_prerouting_rules: {} # ]]] # .. envvar:: nft__nat_prerouting_conf_path [[[ # # Path to the prerouting rules file for the nat table to include in the main # configuration file in order to use the previous defined lists. # # Should include the '{{ nft_conf_dir_path }}' var or be an absolut path. nft__nat_prerouting_conf_path: '{{ nft_conf_dir_path }}/nat-prerouting.nft' # ]]] # .. envvar:: nft__nat_prerouting_conf_content [[[ # # Template used to provide the previous prerouting rules file. # # Must be a relative path from default/ directory of this role or from your # Ansible inventory directory. nft__nat_prerouting_conf_content: 'etc/nftables.d/nat-prerouting.nft.j2' # ]]] # .. envvar:: nft__nat_default_postrouting_rules [[[ # # List of postrouting rules to configure for all hosts inherited from this role. nft__nat_default_postrouting_rules: 000 policy: - type nat hook postrouting priority 100; # ]]] # .. envvar:: nft__nat_postrouting_rules [[[ # # List of postrouting rules to configure for all hosts in the Ansible inventory. nft__nat_postrouting_rules: {} # ]]] # .. envvar:: nft__nat_group_postrouting_rules [[[ # # List of postrouting rules to configure for hosts in specific # Ansible inventory group. nft__nat_group_postrouting_rules: {} # ]]] # .. envvar:: nft__nat_host_postrouting_rules [[[ # # List of postrouting rules to configure for specific hosts # in the Ansible inventory. nft__nat_host_postrouting_rules: {} # ]]] # .. envvar:: nft__nat_postrouting_conf_path [[[ # # Path to the postrouting rules file for the nat table to include in the main # configuration file in order to use the previous defined lists. # # Should include the '{{ nft_conf_dir_path }}' var or be an absolut path. nft__nat_postrouting_conf_path: '{{ nft_conf_dir_path }}/nat-postrouting.nft' # ]]] # .. envvar:: nft__nat_postrouting_conf_content [[[ # # Template used to provide the previous postrouting rules file. # # Must be a relative path from default/ directory of this role or from your # Ansible inventory directory. nft__nat_postrouting_conf_content: 'etc/nftables.d/nat-postrouting.nft.j2' # ]]] # ]]] # Service management [[[ # ---------------------- # .. envvar:: nft_service_manage [[[ # # If the Nftables service should be managed ? Possible options are : # # ``True`` # Default. The service is started. # # ``False`` # The service will not be touched. nft_service_manage: true # ]]] # .. envvar:: nft_service_name [[[ # # The service name to manage. nft_service_name: 'nftables' # ]]] # .. envvar:: nft_service_enabled [[[ # # If the Nftables service should be enabled at startup ? Possible options are : # # ``True`` # Default. The service is enabled. # # ``False`` # The service is disabled from startup. nft_service_enabled: true # ]]] # .. envvar:: nft_service_unit_path [[[ # # Path to store Nftables service. nft_service_unit_path: '/lib/systemd/system/nftables.service' # ]]] # .. envvar:: nft_service_unit_content [[[ # # Template used to provide systemd unit for Nftables service. nft_service_unit_content: 'lib/systemd/system/nftables.service.j2' # ]]] # .. envvar:: nft__service_protect [[[ # # If the systemd unit should have the Protect directives ? Possible options : # # ``True`` # Default. Directives will be set (ProtectSystem, ProtectHome,…). # # ``False`` # The directives will be ignored. nft__service_protect: true # ]]] # .. envvar:: nft__fail2ban_service [[[ # # If the Nftables systemd unit should also restart Fail2ban service. Possible # options are : # # ``False`` # Default. Nftables service will not affect Fail2ban service. # # ``True`` # Any Nftables service (re)start will also restart Fail2ban service. nft__fail2ban_service: False # ]]] # .. envvar:: nft_debug [ # # Toggle on/off more verbose output. Possible options are: # # ''Flase'' # Default. No additional output will be given. # # ''True'' # More verbose output. nft_debug: False # ]]] # ]]] # ]]]