X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/faf8ae12e85eabb050b0f5eceb2cb67ad1de5261..2c3bb4b02302a37e1c14e045833feb71b5a3130d:/cookbooks/networking/templates/default/shorewall6.conf.erb

diff --git a/cookbooks/networking/templates/default/shorewall6.conf.erb b/cookbooks/networking/templates/default/shorewall6.conf.erb
index 008fc6a9f..a98408e0b 100644
--- a/cookbooks/networking/templates/default/shorewall6.conf.erb
+++ b/cookbooks/networking/templates/default/shorewall6.conf.erb
@@ -12,128 +12,241 @@ STARTUP_ENABLED=Yes
 
 VERBOSITY=1
 
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
 
-LOGFILE=/var/log/messages
+<% if node[:networking][:firewall][:log] -%>
+LOG_LEVEL="info"
+<% else -%>
+LOG_LEVEL="none"
+<% end -%>
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+BLACKLIST_LOG_LEVEL=
+
+INVALID_LOG_LEVEL=
+
+LOG_BACKEND=
 
 LOG_VERBOSITY=2
 
-LOGFORMAT="Shorewall:%s:%s:"
+LOGALLNEW=
+
+LOGFILE=/var/log/messages
+
+LOGFORMAT="%s %s "
+
+LOGLIMIT="s:1/sec:10"
 
 LOGTAGONLY=No
 
-LOGRATE=
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 
-LOGBURST=
+RELATED_LOG_LEVEL=
 
-LOGALLNEW=
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-BLACKLIST_LOGLEVEL=
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 
-TCP_FLAGS_LOG_LEVEL=info
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-SMURF_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+
+UNTRACKED_LOG_LEVEL=
 
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+
+GEOIPDIR=/usr/share/xt_geoip/LE
+
 IP6TABLES=
 
 IP=
 
-TC=
-
 IPSET=
 
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+LOCKFILE=
+
+MODULESDIR=
 
-SHOREWALL_SHELL=/bin/sh
+NFACCT=
 
-SUBSYSLOCK=""
+PERL=/usr/bin/perl
 
-MODULESDIR=
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
 
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+RESTOREFILE=restore
 
-RESTOREFILE=
+SHOREWALL_SHELL=/bin/sh
 
-LOCKFILE=
+SUBSYSLOCK=""
+
+TC=
 
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 
-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'
 
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=Off
+ACCOUNTING=Yes
 
-TC_ENABLED=No
+ACCOUNTING_TABLE=filter
 
-TC_EXPERT=No
+ADMINISABSENTMINDED=Yes
 
-CLEAR_TC=No
+AUTOCOMMENT=Yes
 
-MARK_IN_FORWARD_CHAIN=No
+AUTOHELPERS=Yes
+
+AUTOMAKE=Yes
+
+BALANCE_PROVIDERS=No
+
+BASIC_FILTERS=No
+
+<% if node[:networking][:firewall][:raw] -%>
+BLACKLIST="NEW,INVALID,UNTRACKED"
+<% else -%>
+BLACKLIST="NEW,INVALID"
+<% end -%>
 
 CLAMPMSS=No
 
-MUTEX_TIMEOUT=60
+CLEAR_TC=No
 
-ADMINISABSENTMINDED=Yes
+COMPLETE=No
 
-BLACKLISTNEWONLY=Yes
+DEFER_DNS_RESOLUTION=Yes
 
-MODULE_SUFFIX=ko
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
 
 FASTACCEPT=No
 
-IMPLICIT_CONTINUE=Yes
+<% if node[:networking][:firewall][:mark] -%>
+FORWARD_CLEAR_MARK=Yes
+<% else -%>
+FORWARD_CLEAR_MARK=No
+<% end -%>
 
-HIGH_ROUTE_MARKS=No
+HELPERS=
 
-OPTIMIZE=1
+IGNOREUNKNOWNVARIABLES=No
 
-EXPORTPARAMS=Yes
+IMPLICIT_CONTINUE=No
 
-EXPAND_POLICIES=Yes
+INLINE_MATCHES=No
 
-KEEP_RT_TABLES=Yes
+IPSET_WARNINGS=Yes
 
-DELETE_THEN_ADD=Yes
+IP_FORWARDING=Keep
 
-DONT_LOAD=
+KEEP_RT_TABLES=No
 
-AUTO_COMMENT=Yes
+LOAD_HELPERS_ONLY=Yes
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-AUTOMAKE=No
+MARK_IN_FORWARD_CHAIN=No
+
+MINIUPNPD=No
+
+MUTEX_TIMEOUT=60
+
+OPTIMIZE=All
+
+OPTIMIZE_ACCOUNTING=No
+
+PERL_HASH_SEED=0
+
+REJECT_ACTION=
 
-WIDE_TC_MARKS=No
+REQUIRE_INTERFACE=No
 
-TRACK_PROVIDERS=No
+RESTART=restart
 
-ZONE2ZONE=2
+RESTORE_DEFAULT_ROUTE=Yes
+
+RESTORE_ROUTEMARKS=Yes
+
+SAVE_IPSETS=No
+
+<% if node[:networking][:firewall][:mangle] -%>
+TC_ENABLED=Shared
+<% else -%>
+TC_ENABLED=No
+<% end -%>
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+TRACK_PROVIDERS=Yes
+
+TRACK_RULES=No
+
+USE_DEFAULT_RT=Yes
+
+USE_NFLOG_SIZE=No
+
+USE_PHYSICAL_NAMES=No
+
+USE_RT_NAMES=No
+
+VERBOSE_MESSAGES=Yes
+
+WARNOLDCAPVERSION=Yes
+
+WORKAROUNDS=No
+
+ZERO_MARKS=No
+
+ZONE2ZONE=
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
@@ -141,6 +254,34 @@ ZONE2ZONE=2
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
+MACLIST_DISPOSITION=REJECT
+
+RELATED_DISPOSITION=ACCEPT
+
+SFILTER_DISPOSITION=DROP
+
+RPFILTER_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP
 
+UNTRACKED_DISPOSITION=CONTINUE
+
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 #LAST LINE -- DO NOT REMOVE