91 lines
2.4 KiB
YAML
91 lines
2.4 KiB
YAML
---
|
|
# defaults file for nftables
|
|
|
|
# packages
|
|
nft_pkg_manage: true
|
|
nft_pkg_state: 'installed'
|
|
|
|
# files
|
|
nft_main_conf_path: '/etc/nftables.conf'
|
|
nft_main_conf_content: 'etc/nftables.conf.j2'
|
|
nft_input_conf_path: '/etc/nftables.d/filter-input.nft'
|
|
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
|
|
nft_output_conf_path: '/etc/nftables.d/filter-output.nft'
|
|
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
|
|
nft_define_conf_path: '/etc/nftables.d/defines.nft'
|
|
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
|
nft_set_conf_path: '/etc/nftables.d/sets.nft'
|
|
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
|
|
|
|
# rules
|
|
nft_global_default_rules:
|
|
005 state management:
|
|
- ct state established,related accept
|
|
- ct state invalid drop
|
|
nft_global_group_rules: {}
|
|
nft_global_host_rules: {}
|
|
|
|
nft_input_default_rules:
|
|
000 policy:
|
|
- type filter hook input priority 0; policy drop;
|
|
005 global:
|
|
- jump global
|
|
010 drop unwanted:
|
|
- ip daddr @blackhole counter drop
|
|
015 localhost:
|
|
- iif lo accept
|
|
040 dhcp:
|
|
- udp sport bootps udp dport bootpc limit rate 6/minute accept
|
|
220 ssh:
|
|
- tcp dport ssh ct state new counter accept
|
|
nft_input_group_rules: {}
|
|
nft_input_host_rules: {}
|
|
|
|
nft_output_default_rules:
|
|
000 policy:
|
|
- type filter hook output priority 0; policy drop;
|
|
005 global:
|
|
- jump global
|
|
015 localhost:
|
|
- oif lo accept
|
|
200 output udp accepted:
|
|
- udp dport @output_udp_accept ct state new accept
|
|
210 output tcp accepted:
|
|
- tcp dport @output_tcp_accept ct state new accept
|
|
nft_output_group_rules: {}
|
|
nft_output_host_rules: {}
|
|
|
|
# define nft vars
|
|
nft_define_default:
|
|
broadcast and multicast:
|
|
desc: 'broadcast and multicast'
|
|
name: badcast_addr
|
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
|
output tcp accepted:
|
|
name: output_tcp_accept
|
|
value: '{ http, https }'
|
|
output udp accepted:
|
|
name: output_udp_accept
|
|
value: '{ bootps, domain, ntp }'
|
|
nft_define_group: {}
|
|
nft_define_host: {}
|
|
|
|
# sets and maps
|
|
nft_set_default:
|
|
blackhole:
|
|
- type ipv4_addr;
|
|
- elements = $badcast_addr
|
|
output_tcp_accept:
|
|
- type inet_service; flags interval;
|
|
- elements = $output_tcp_accept
|
|
output_udp_accept:
|
|
- type inet_service; flags interval;
|
|
- elements = $output_udp_accept
|
|
nft_set_group: {}
|
|
nft_set_host: {}
|
|
|
|
# service
|
|
nft_service_manage: true
|
|
nft_service_name: 'nftables'
|
|
nft_service_enabled: true
|