aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorEgor Tensin <egor@tensin.name>2024-03-06 09:27:43 +0100
committerEgor Tensin <egor@tensin.name>2024-03-06 09:27:43 +0100
commit25ee5c21273774a790bbf019ce95eb6b1e73f6d6 (patch)
treef82c619b5ae39da63d6e26c1a14bde3cd52dd05f
parentv2.0.3 (diff)
downloadinfra-ansible-25ee5c21273774a790bbf019ce95eb6b1e73f6d6.tar.gz
infra-ansible-25ee5c21273774a790bbf019ce95eb6b1e73f6d6.zip
firewall: align directives
-rw-r--r--roles/firewall/templates/rules.v4.j22
-rw-r--r--roles/firewall/templates/rules.v6.j28
2 files changed, 5 insertions, 5 deletions
diff --git a/roles/firewall/templates/rules.v4.j2 b/roles/firewall/templates/rules.v4.j2
index 1bfeb94..ff77f59 100644
--- a/roles/firewall/templates/rules.v4.j2
+++ b/roles/firewall/templates/rules.v4.j2
@@ -12,7 +12,7 @@
-A INPUT -i lo -j ACCEPT
# Accept any packet for an open connection:
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# The SSH port is always open:
diff --git a/roles/firewall/templates/rules.v6.j2 b/roles/firewall/templates/rules.v6.j2
index 2e94e25..5e46ce1 100644
--- a/roles/firewall/templates/rules.v6.j2
+++ b/roles/firewall/templates/rules.v6.j2
@@ -12,7 +12,7 @@
-A INPUT -i lo -j ACCEPT
# Accept any packet for an open connection:
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# The SSH port is always open:
@@ -49,10 +49,10 @@
#
# https://github.com/trailofbits/algo/blob/master/roles/common/templates/rules.v6.j2
#
--A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
--A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
--A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
# Log denies (this must be at the bottom of the file):
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables denied: " --log-level 4