move defaults to variables and clean up

2021-09-17 03:42:30 +02:00 · 2021-09-17 03:42:30 +02:00 · c9088a7a24
commit c9088a7a24
parent 6c659413c2
2 changed files with 32 additions and 16 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -3,6 +3,7 @@ firewall:
    all:
      statement: accept
      matches: ~
+      priority: 1000
    input: {}
    forward: {}
    output: {}
@ -12,9 +13,32 @@ firewall:
    nat6_postrouting: {}
  chains:
    input:
+      "statefull-invalid":
+        matches: ct state invalid
+        priority: 240
+        statement: drop
+      "statefull-accept":
+        matches: ct state established,related
+        priority: 250
+      allow_localhost:
+        matches: iif lo
+        priority: 500
+      allow_icmp:
+        matches: ip protocol icmp
+        priority: 500
+      allow_icmp6:
+        matches: ip6 nexthdr icmpv6
+        priority: 500
      allow_ssh: tcp dport ssh
    output: {}
-    forward: {}
+    forward:
+      "statefull-invalid":
+        matches: ct state invalid
+        priority: 240
+        statement: drop
+      "statefull-accept":
+        matches: ct state established,related
+        priority: 250
    nat_prerouting: {}
    nat_postrouting: {}
    nat6_prerouting: {}