X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ad1da4a00772c18bbc6392d94c603208c7a8db05..6ab5fb9c6d2e0d309835648e78333ed40d654885:/cookbooks/networking/templates/default/shorewall.conf.erb?ds=sidebyside diff --git a/cookbooks/networking/templates/default/shorewall.conf.erb b/cookbooks/networking/templates/default/shorewall.conf.erb index 03c7c6fff..1ec804b04 100644 --- a/cookbooks/networking/templates/default/shorewall.conf.erb +++ b/cookbooks/networking/templates/default/shorewall.conf.erb @@ -28,7 +28,11 @@ FIREWALL= # L O G G I N G ############################################################################### +<% if node[:networking][:firewall][:log] -%> LOG_LEVEL="info" +<% else -%> +LOG_LEVEL="none" +<% end -%> BLACKLIST_LOG_LEVEL= @@ -104,20 +108,12 @@ TC= # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -<%- if node[:lsb][:release].to_f <= 16.04 %> -ACCEPT_DEFAULT="none" -DROP_DEFAULT="Drop" -NFQUEUE_DEFAULT="none" -QUEUE_DEFAULT="none" -REJECT_DEFAULT="Reject" -<%- else %> ACCEPT_DEFAULT="none" BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" -<%- end %> ############################################################################### # R S H / R C P C O M M A N D S @@ -144,17 +140,17 @@ AUTOCOMMENT=Yes AUTOHELPERS=Yes -<%- if node[:lsb][:release].to_f <= 16.04 %> -AUTOMAKE=No -<%- else %> AUTOMAKE=Yes -<%- end %> BALANCE_PROVIDERS=No BASIC_FILTERS=No +<% if node[:networking][:firewall][:raw] -%> BLACKLIST="NEW,INVALID,UNTRACKED" +<% else -%> +BLACKLIST="NEW,INVALID" +<% end -%> CLAMPMSS=No @@ -170,7 +166,7 @@ DETECT_DNAT_IPADDRS=No DISABLE_IPV6=No -DOCKER=No +DOCKER=Yes DONT_LOAD= @@ -211,10 +207,6 @@ MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MINIUPNPD=No -<%- if node[:lsb][:release].to_f <= 16.04 %> - -MODULE_SUFFIX=ko -<%- end %> MULTICAST=No @@ -222,11 +214,7 @@ MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=No -<%- if node[:lsb][:release].to_f <= 14.04 %> -OPTIMIZE=1 -<%- else %> OPTIMIZE=All -<%- end %> OPTIMIZE_ACCOUNTING=No @@ -250,7 +238,11 @@ SAVE_ARPTABLES=No SAVE_IPSETS=No +<% if node[:networking][:firewall][:mangle] -%> TC_ENABLED=Internal +<% else -%> +TC_ENABLED=No +<% end -%> TC_EXPERT=No @@ -261,10 +253,8 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=No -<%- if node[:lsb][:release].to_f >= 18.04 %> USE_NFLOG_SIZE=No -<%- end %> USE_PHYSICAL_NAMES=No