CIS + inital
This commit is contained in:
@@ -0,0 +1,59 @@
|
||||
---
|
||||
# Secure Firewall Role - Default Variables
|
||||
|
||||
# Firewall backend (ufw or iptables)
|
||||
firewall_backend: ufw
|
||||
|
||||
# Default policies
|
||||
firewall_default_input_policy: deny
|
||||
firewall_default_output_policy: allow
|
||||
firewall_default_forward_policy: deny
|
||||
|
||||
# VPN-only mode: Only allow management access from specified networks/IPs
|
||||
vpn_only_mode: true
|
||||
|
||||
# Management access sources
|
||||
# Can be:
|
||||
# - VPN network CIDR (e.g., "10.100.0.0/24" for admin VPN)
|
||||
# - Single IP (e.g., "185.112.147.205" for ValleyForge public IP)
|
||||
# - List of both
|
||||
management_allowed_sources: []
|
||||
# Example:
|
||||
# management_allowed_sources:
|
||||
# - "10.100.0.0/24" # Admin VPN network
|
||||
# - "185.112.147.205" # ValleyForge public IP
|
||||
|
||||
# Management ports (restricted to management_allowed_sources if vpn_only_mode is true)
|
||||
management_ports:
|
||||
- port: 22
|
||||
proto: tcp
|
||||
comment: "SSH"
|
||||
- port: 80
|
||||
proto: tcp
|
||||
comment: "HTTP"
|
||||
- port: 443
|
||||
proto: tcp
|
||||
comment: "HTTPS"
|
||||
- port: 8080
|
||||
proto: tcp
|
||||
comment: "Outline Manager"
|
||||
- port: 8065
|
||||
proto: tcp
|
||||
comment: "Mattermost"
|
||||
- port: 8443
|
||||
proto: tcp
|
||||
comment: "Nextcloud HTTPS"
|
||||
|
||||
# Public ports (always accessible from internet)
|
||||
public_ports:
|
||||
- port: 51820
|
||||
proto: udp
|
||||
comment: "WireGuard VPN"
|
||||
|
||||
# Rate limiting for SSH
|
||||
ssh_rate_limit: true
|
||||
ssh_rate_limit_burst: 10
|
||||
ssh_rate_limit_rate: "30/minute"
|
||||
|
||||
# Logging
|
||||
firewall_logging: "low" # off, low, medium, high, full
|
||||
Reference in New Issue
Block a user