default[:networking][:firewall][:inet6] = []
default[:networking][:firewall][:http_rate_limit] = "-"
default[:networking][:firewall][:http_connection_limit] = "-"
+default[:networking][:firewall][:log] = true
+default[:networking][:firewall][:mark] = true
+default[:networking][:firewall][:raw] = true
+default[:networking][:firewall][:mangle] = true
default[:networking][:interfaces] = {}
default[:networking][:nameservers] = []
default[:networking][:search] = []
group "root"
mode 0o644
notifies :restart, "service[shorewall]"
+ only_if { node[:networking][:firewall][:raw] }
end
template "/etc/shorewall/policy" do
group "root"
mode 0o644
notifies :restart, "service[shorewall6]"
+ only_if { node[:networking][:firewall][:raw] }
end
template "/etc/shorewall6/policy" do
# L O G G I N G
###############################################################################
+<% if node[:networking][:firewall][:log] -%>
LOG_LEVEL="info"
+<% else -%>
+LOG_LEVEL="none"
+<% end -%>
BLACKLIST_LOG_LEVEL=
BASIC_FILTERS=No
+<% if node[:networking][:firewall][:raw] -%>
BLACKLIST="NEW,INVALID,UNTRACKED"
+<% else -%>
+BLACKLIST="NEW,INVALID"
+<% end -%>
CLAMPMSS=No
SAVE_IPSETS=No
+<% if node[:networking][:firewall][:mangle] -%>
TC_ENABLED=Internal
+<% else -%>
+TC_ENABLED=No
+<% end -%>
TC_EXPERT=No
# L O G G I N G
###############################################################################
+<% if node[:networking][:firewall][:log] -%>
LOG_LEVEL="info"
+<% else -%>
+LOG_LEVEL="none"
+<% end -%>
BLACKLIST_LOG_LEVEL=
BASIC_FILTERS=No
+<% if node[:networking][:firewall][:raw] -%>
BLACKLIST="NEW,INVALID,UNTRACKED"
+<% else -%>
+BLACKLIST="NEW,INVALID"
+<% end -%>
CLAMPMSS=No
FASTACCEPT=No
+<% if node[:networking][:firewall][:mark] -%>
FORWARD_CLEAR_MARK=Yes
+<% else -%>
+FORWARD_CLEAR_MARK=No
+<% end -%>
HELPERS=
SAVE_IPSETS=No
+<% if node[:networking][:firewall][:mangle] -%>
TC_ENABLED=Shared
+<% else -%>
+TC_ENABLED=No
+<% end -%>
TC_EXPERT=No
default_attributes(
:networking => {
+ :firewall => {
+ :log => false,
+ :mark => false,
+ :raw => false,
+ :mangle => false
+ },
:interfaces => {
:external_ipv4 => {
:interface => "ens3",