-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
84 lines (76 loc) · 2.34 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
nftables:
# Define sets
defines:
http:
- http
- https
# Use default table (`table inet filter`). If `tables` is defined, these
# values are merged with the `table:filter` table, with the `table:filter`
# values taking priority.
chains:
# Chain name
input:
# Chain hook (optional): `prerouting`, `input`, `forward`, `output`,
# `postrouting`, or `ingress`
hook: input
# Chain type (optional): ignored if no `hook` is set (default: `filter`)
type: filter
# Chain priority (optional): (default: `0`)
priority: 1
# Default chain policy (optional): (default: implicitly `accept` as per
# nftables default)
policy: drop
# Chain rules: can be a string, list, or dict
## rules using a list
rules:
- ct state invalid drop
- ct state established,related accept
- iif lo accept
- tcp dport { ssh }} accept
- tcp dport { $http }} accept
- counter drop
## rules using a string
rules: |-
ct state invalid drop
ct state established,related accept
iif lo accept
tcp dport { ssh }} accept
tcp dport { $http }} accept
counter drop
## rules using a dict: values can be any valid rule value, including
## recursive dicts (useful for merging rules from multiple pillar
## files)
rules:
100_general:
- ct state invalid drop
- ct state established,related accept
- iif lo accept
200_services:
210_ssh:
- tcp dport { ssh }} accept
220_http: |-
tcp dport { $http }} accept
999_default: |-
counter drop
output:
hook: output
rules:
- ct state invalid drop
- ct state established,related accept
- iif lo accept
- tcp dport { ssh }} accept
- tcp dport { $http }} accept
# Use if multiple tables required. If `tables` is defined, `chains` is merged
# with the `tables:filter` table, with these values take priority.
tables:
# Table name
firewall:
# Table family: `ip`, `arp`, `ip6`, `bridge`, `inet`, or `netdev`
# (default: `inet`)
family: ip
chains:
... (as per `chains` above) ...
firewall_ip6:
family: ip6
chains:
...