diff options
author | Egor Tensin <egor@tensin.name> | 2024-03-06 09:27:43 +0100 |
---|---|---|
committer | Egor Tensin <egor@tensin.name> | 2024-03-06 09:27:43 +0100 |
commit | 25ee5c21273774a790bbf019ce95eb6b1e73f6d6 (patch) | |
tree | f82c619b5ae39da63d6e26c1a14bde3cd52dd05f /roles | |
parent | v2.0.3 (diff) | |
download | infra-ansible-25ee5c21273774a790bbf019ce95eb6b1e73f6d6.tar.gz infra-ansible-25ee5c21273774a790bbf019ce95eb6b1e73f6d6.zip |
firewall: align directives
Diffstat (limited to 'roles')
-rw-r--r-- | roles/firewall/templates/rules.v4.j2 | 2 | ||||
-rw-r--r-- | roles/firewall/templates/rules.v6.j2 | 8 |
2 files changed, 5 insertions, 5 deletions
diff --git a/roles/firewall/templates/rules.v4.j2 b/roles/firewall/templates/rules.v4.j2 index 1bfeb94..ff77f59 100644 --- a/roles/firewall/templates/rules.v4.j2 +++ b/roles/firewall/templates/rules.v4.j2 @@ -12,7 +12,7 @@ -A INPUT -i lo -j ACCEPT # Accept any packet for an open connection: --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # The SSH port is always open: diff --git a/roles/firewall/templates/rules.v6.j2 b/roles/firewall/templates/rules.v6.j2 index 2e94e25..5e46ce1 100644 --- a/roles/firewall/templates/rules.v6.j2 +++ b/roles/firewall/templates/rules.v6.j2 @@ -12,7 +12,7 @@ -A INPUT -i lo -j ACCEPT # Accept any packet for an open connection: --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # The SSH port is always open: @@ -49,10 +49,10 @@ # # https://github.com/trailofbits/algo/blob/master/roles/common/templates/rules.v6.j2 # --A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT --A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT +-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT --A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT +-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT # Log denies (this must be at the bottom of the file): -A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables denied: " --log-level 4 |