minifirewall: remove RELATED
This commit is contained in:
parent
dd0fd777c4
commit
94f45c6378
6 changed files with 13 additions and 12 deletions
|
@ -22,6 +22,7 @@ The **patch** part is incremented if multiple releases happen the same month
|
|||
* evocommit: search for other user info when logname(1) fails
|
||||
* evolinux-base: use seed for random time in periodic crontab
|
||||
* listupgrade: default cron execution time is randomized
|
||||
* minifirewall: remove RELATED
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
dest: /etc/default/minifirewall
|
||||
marker: "# {mark} {{ item.name }}"
|
||||
block: |
|
||||
/sbin/iptables -A INPUT -p tcp --sport {{ item.port }} --dport 1024:65535 -s {{ item.ip }} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/iptables -A INPUT -p tcp --sport {{ item.port }} --dport 1024:65535 -s {{ item.ip }} -m state --state ESTABLISHED -j ACCEPT
|
||||
loop: "{{ evobackup_client__hosts }}"
|
||||
notify: restart minifirewall
|
||||
when: evobackup_client__minifirewall.stat.exists
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
- name: minifirewall section for evomaintenance
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED -j ACCEPT"
|
||||
insertafter: "^# EvoMaintenance"
|
||||
loop: "{{ evomaintenance_hosts }}"
|
||||
notify: "{{ minifirewall_restart_handler_name }}"
|
||||
|
|
|
@ -84,12 +84,12 @@ NTPOK='0.0.0.0/0'
|
|||
/sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT
|
||||
|
||||
# Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED -j ACCEPT
|
||||
|
||||
# Example: allow output DNS, NTP and traceroute traffic
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||
|
|
|
@ -182,7 +182,7 @@
|
|||
- name: evomaintenance
|
||||
ansible.builtin.lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED -j ACCEPT"
|
||||
insertafter: "^# EvoMaintenance"
|
||||
loop: "{{ evomaintenance_hosts }}"
|
||||
|
||||
|
|
|
@ -320,7 +320,7 @@ fi
|
|||
for x in $DNSSERVEURS
|
||||
do
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT
|
||||
$IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED -j ACCEPT
|
||||
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT
|
||||
done
|
||||
|
||||
|
@ -395,10 +395,10 @@ $IPT -P INPUT DROP
|
|||
$IPT -P OUTPUT ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT
|
||||
$IPT -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED -j ACCEPT
|
||||
$IPT -A OUTPUT -p udp -j DROP
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp -j DROP
|
||||
|
||||
trap - INT TERM EXIT
|
||||
|
|
Loading…
Add table
Reference in a new issue