source: MondoRescue/branches/3.3/ansible/roles/shorewall/defaults/main.yml@ 3694

---
shorewall_enabled: "Yes"

shorewall_zones:
- zone: "fw"
  type: "firewall"
- zone: "net"
  type: "ipv4"
- zone: "dock"
  type: "ipv4"

shorewall_interfaces: 
- interface: "enp2s0f0"
  zone: "net"
  broadcast: "detect"
  options: "dhcp,tcpflags,nosmurfs,logmartians"
- interface: "docker0"
  zone: "dock"
  broadcast: "detect"
  #options: "dhcp,tcpflags,nosmurfs,logmartians"

shorewall_policies:
- source: "fw"
  destination: "net"
  policy: "REJECT"
  log_level: "info"
- source: "net"
  destination: "fw"
  policy: "DROP"
- source: "all"
  destination: "all"
  policy: "REJECT"
  log_level: "info"
shorewall_masq:
- interface: "enp2s0f0"
  source: "172.17.0.0/16"

shorewall_rules:
- section: "NEW"
  rules: 
  # Incoming SSH
  - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 22 }
  # Incoming HTTP
  - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 80 }
  # Incoming RSYNC
  - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 873 }
  # Incoming SVN
  - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 3690 }
  # Incoming FTP
  - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 20 }
  - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 21 }
  # Incoming SMTP
  - { action: ACCEPT, source: "net:{{ smtp }}", destination: fw, protocol: tcp, destination_port: 25 }
  # Incoming NTP
  - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 123 }
  - { action: ACCEPT, source: net, destination: fw, protocol: udp, destination_port: 123 }
  # Incoming PING
  - { action: ACCEPT, source: net, destination: fw, protocol: icmp, destination_port: 8 }
  # Outgoing NTP
  - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 123 }
  - { action: ACCEPT, source: fw, destination: net, protocol: udp, destination_port: 123 }
  # Outgoing DNS
  - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: udp, destination_port: 53 }
  - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: udp, destination_port: 53 }
  - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: tcp, destination_port: 53 }
  - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: tcp, destination_port: 53 }
  - { action: ACCEPT, source: dock, destination: "net:{{ dns1 }}", protocol: udp, destination_port: 53 }
  - { action: ACCEPT, source: dock, destination: "net:{{ dns2 }}", protocol: udp, destination_port: 53 }
  - { action: ACCEPT, source: dock, destination: "net:{{ dns1 }}", protocol: tcp, destination_port: 53 }
  - { action: ACCEPT, source: dock, destination: "net:{{ dns2 }}", protocol: tcp, destination_port: 53 }
  # Outgoing HTTP/S
  - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 80 }
  - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 443}
  - { action: ACCEPT, source: dock, destination: net, protocol: tcp, destination_port: 80 }
  - { action: ACCEPT, source: dock, destination: net, protocol: tcp, destination_port: 443}
  # Outgoing SPAM
  - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 9999 }
  # Outgoing SMTP
  - { action: ACCEPT, source: fw, destination: "net:{{ smtp }}", protocol: tcp, destination_port: 25 }
  # Outgoing SSH
  - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 22 }
  # Outgoing PING
  - { action: ACCEPT, source: fw, destination: net, protocol: icmp, destination_port: 8 }
  - { action: ACCEPT, source: dock, destination: net, protocol: icmp, destination_port: 8 }