X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ad1da4a00772c18bbc6392d94c603208c7a8db05..eb10ee11cf967f641485a4124c337f52ce6b9939:/cookbooks/networking/templates/default/shorewall.conf.erb diff --git a/cookbooks/networking/templates/default/shorewall.conf.erb b/cookbooks/networking/templates/default/shorewall.conf.erb index 03c7c6fff..17eef48da 100644 --- a/cookbooks/networking/templates/default/shorewall.conf.erb +++ b/cookbooks/networking/templates/default/shorewall.conf.erb @@ -7,7 +7,7 @@ STARTUP_ENABLED=Yes ############################################################################### -# V E R B O S I T Y +# V E R B O S I T Y ############################################################################### VERBOSITY=1 @@ -28,7 +28,11 @@ FIREWALL= # L O G G I N G ############################################################################### +<% if node[:networking][:firewall][:log] -%> LOG_LEVEL="info" +<% else -%> +LOG_LEVEL="none" +<% end -%> BLACKLIST_LOG_LEVEL= @@ -88,7 +92,7 @@ MODULESDIR= NFACCT= -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" PERL=/usr/bin/perl @@ -104,23 +108,15 @@ TC= # D E F A U L T A C T I O N S / M A C R O S ############################################################################### -<%- if node[:lsb][:release].to_f <= 16.04 %> -ACCEPT_DEFAULT="none" -DROP_DEFAULT="Drop" -NFQUEUE_DEFAULT="none" -QUEUE_DEFAULT="none" -REJECT_DEFAULT="Reject" -<%- else %> ACCEPT_DEFAULT="none" BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" -<%- end %> ############################################################################### -# R S H / R C P C O M M A N D S +# R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' @@ -144,17 +140,17 @@ AUTOCOMMENT=Yes AUTOHELPERS=Yes -<%- if node[:lsb][:release].to_f <= 16.04 %> -AUTOMAKE=No -<%- else %> AUTOMAKE=Yes -<%- end %> BALANCE_PROVIDERS=No BASIC_FILTERS=No +<% if node[:networking][:firewall][:raw] -%> BLACKLIST="NEW,INVALID,UNTRACKED" +<% else -%> +BLACKLIST="NEW,INVALID" +<% end -%> CLAMPMSS=No @@ -170,7 +166,7 @@ DETECT_DNAT_IPADDRS=No DISABLE_IPV6=No -DOCKER=No +DOCKER=Yes DONT_LOAD= @@ -211,10 +207,6 @@ MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MINIUPNPD=No -<%- if node[:lsb][:release].to_f <= 16.04 %> - -MODULE_SUFFIX=ko -<%- end %> MULTICAST=No @@ -222,11 +214,7 @@ MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=No -<%- if node[:lsb][:release].to_f <= 14.04 %> -OPTIMIZE=1 -<%- else %> OPTIMIZE=All -<%- end %> OPTIMIZE_ACCOUNTING=No @@ -250,7 +238,11 @@ SAVE_ARPTABLES=No SAVE_IPSETS=No +<% if node[:networking][:firewall][:mangle] -%> TC_ENABLED=Internal +<% else -%> +TC_ENABLED=No +<% end -%> TC_EXPERT=No @@ -261,10 +253,8 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=No -<%- if node[:lsb][:release].to_f >= 18.04 %> USE_NFLOG_SIZE=No -<%- end %> USE_PHYSICAL_NAMES=No