60 lines
1.4 KiB
YAML
60 lines
1.4 KiB
YAML
---
|
|
# Secure Firewall Role - Default Variables
|
|
|
|
# Firewall backend (ufw or iptables)
|
|
firewall_backend: ufw
|
|
|
|
# Default policies
|
|
firewall_default_input_policy: deny
|
|
firewall_default_output_policy: allow
|
|
firewall_default_forward_policy: deny
|
|
|
|
# VPN-only mode: Only allow management access from specified networks/IPs
|
|
vpn_only_mode: true
|
|
|
|
# Management access sources
|
|
# Can be:
|
|
# - VPN network CIDR (e.g., "10.100.0.0/24" for admin VPN)
|
|
# - Single IP (e.g., "185.112.147.205" for ValleyForge public IP)
|
|
# - List of both
|
|
management_allowed_sources: []
|
|
# Example:
|
|
# management_allowed_sources:
|
|
# - "10.100.0.0/24" # Admin VPN network
|
|
# - "185.112.147.205" # ValleyForge public IP
|
|
|
|
# Management ports (restricted to management_allowed_sources if vpn_only_mode is true)
|
|
management_ports:
|
|
- port: 22
|
|
proto: tcp
|
|
comment: "SSH"
|
|
- port: 80
|
|
proto: tcp
|
|
comment: "HTTP"
|
|
- port: 443
|
|
proto: tcp
|
|
comment: "HTTPS"
|
|
- port: 8080
|
|
proto: tcp
|
|
comment: "Outline Manager"
|
|
- port: 8065
|
|
proto: tcp
|
|
comment: "Mattermost"
|
|
- port: 8443
|
|
proto: tcp
|
|
comment: "Nextcloud HTTPS"
|
|
|
|
# Public ports (always accessible from internet)
|
|
public_ports:
|
|
- port: 51820
|
|
proto: udp
|
|
comment: "WireGuard VPN"
|
|
|
|
# Rate limiting for SSH
|
|
ssh_rate_limit: true
|
|
ssh_rate_limit_burst: 10
|
|
ssh_rate_limit_rate: "30/minute"
|
|
|
|
# Logging
|
|
firewall_logging: "low" # off, low, medium, high, full
|