--- shorewall_enabled: "Yes" shorewall_zones: - zone: "fw" type: "firewall" - zone: "net" type: "ipv4" shorewall_interfaces: - interface: "enp2s0f0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies: - source: "fw" destination: "net" policy: "REJECT" log_level: "info" - source: "net" destination: "fw" policy: "DROP" - source: "all" destination: "all" policy: "REJECT" log_level: "info" shorewall_rules: - section: "NEW" rules: # Incoming SSH - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 22 } # Incoming HTTP - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 80 } # Incoming SVN - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 3690 } # Incoming FTP - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 20 } - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 21 } # Incoming NTP - { action: ACCEPT, source: net, destination: fw, protocol: tcp, destination_port: 123 } - { action: ACCEPT, source: net, destination: fw, protocol: udp, destination_port: 123 } # Incoming PING - { action: ACCEPT, source: net, destination: fw, protocol: icmp, destination_port: 8 } # Outgoing DNS - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: udp, destination_port: 53 } - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: udp, destination_port: 53 } - { action: ACCEPT, source: fw, destination: "net:{{ dns1 }}", protocol: tcp, destination_port: 53 } - { action: ACCEPT, source: fw, destination: "net:{{ dns2 }}", protocol: tcp, destination_port: 53 } # Outgoing HTTP - { action: ACCEPT, source: fw, destination: net, protocol: tcp, destination_port: 80 }