forked from likg/ansible-role-csf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
67 lines (55 loc) · 1.29 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
# csf/defaults/main.yml
csf_tmp_dir: "/usr/src"
csf_required_packages:
- iptables
- perl
- unzip
- tar
- net-tools
csf_global_ini_core:
- option: TESTING
value: "0"
- option: AUTO_UPDATES
value: "1"
- option: PORTS_sshd
value: "{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }}"
csf_global_ini:
- option: RESTRICT_UI
value: "2"
- option: RESTRICT_SYSLOG
value: "2"
- option: URLGET
value: "2"
- option: USE_CONNTRACK
value: "1"
- option: TCP_IN
value: "80,443,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
- option: TCP_OUT
value: "20,21,22,25,37,43,53,80,123,443,873,953,8080,9418,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
- option: UDP_IN
value: "53"
- option: UDP_OUT
value: "20,21,43,53,113,123,58745,30000:65535"
#csf_allow:
# - 10.10.10.10
# - 172.16.1.1/29
#csf_ignore:
# - 10.10.10.10
# - 172.16.1.1/29
#csf_pignore:
# - 'exe:/usr/sbin/nginx'
# - 'user:mysql'
#csf_fignore:
# - '/tmp/\.horde'
# - '/tmp/\.horde/.*'
#csf_blocklists:
# - "SPAMDROP"
#csf_dyndns:
# - "no-ip.com"
#csf_csfpre_sh: |
# #!/bin/bash
# /sbin/iptables -t nat -F POSTROUTING
#csf_csfpost_sh: |
# #!/bin/bash
# /sbin/iptables -t nat -F POSTROUTING