WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(security): moved nftables reserved networks behind a feature flag and no longer block 0.0.0.0/8 and 169.254.0.0/16 by default to ease DHCP and APIPA configuration

Browse source
This commit is contained in:
NaeiKinDus 2024-12-27 00:00:00 +00:00
parent 667c7de87e
commit 21185a17c4
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
3 changed files with 14 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
View file

@ -8,6 +8,7 @@ security_firewall_filter_policy_forward: drop
security_firewall_filter_policy_input: drop
security_firewall_filter_policy_output: drop
security_firewall_mangle_drop_privatenets: true
security_firewall_mangle_drop_reservednets: true
security_firewall_mangle_policy_forward: drop
security_firewall_mangle_policy_output: accept
security_firewall_mangle_policy_postrouting: accept
@ -18,3 +19,13 @@ security_firewall_nat_policy_postrouting: accept
security_firewall_nat_policy_prerouting: accept
security_ssh_port: 22
security_sysctl_configuration: {}
security_firewall_reserved_nets_ip4:
# - 0.0.0.0/8 # if blocked, will block DHCP provisioning
# - 169.254.0.0/16 # if blocked, will block DHCP provisioning
- 192.0.2.0/24
- 192.88.99.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- 233.252.0.0/24
- 240.0.0.0/4