Initial commit, squashed
This commit is contained in:
commit
158e8740b8
83 changed files with 2718 additions and 0 deletions
50
roles/firewall/templates/conntrackd.conf.j2
Normal file
50
roles/firewall/templates/conntrackd.conf.j2
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
{% set fw = inventory_hostname.split('-')[1]|int -%}
|
||||
|
||||
Sync {
|
||||
Mode FTFW {
|
||||
# Add received rules immediately so we don’t need a
|
||||
# signal on failover.
|
||||
DisableExternalCache On
|
||||
}
|
||||
|
||||
UDP {
|
||||
Interface {{ iface_sync }}
|
||||
IPv6_address fe80::{{ fw }}
|
||||
IPv6_Destination_Address fe80::{{ 2 if fw == 1 else 1 }}
|
||||
Port 3780
|
||||
|
||||
# Recommended by manual.
|
||||
Checksum on
|
||||
RcvSocketBuffer 1249280
|
||||
SndSocketBuffer 1249280
|
||||
}
|
||||
|
||||
#Options {
|
||||
# TCPWindowTracking Off
|
||||
#}
|
||||
}
|
||||
|
||||
General {
|
||||
UNIX {
|
||||
Path /var/run/conntrackd.ctl
|
||||
}
|
||||
Syslog on
|
||||
|
||||
# Recommended by manual.
|
||||
HashLimit 524288
|
||||
NetlinkBufferSize 2097152
|
||||
NetlinkBufferSizeMaxGrowth 8388608
|
||||
|
||||
Filter From Kernelspace {
|
||||
# Don’t replicate rules for traffic from/to firewall.
|
||||
Address Ignore {
|
||||
IPv4_address 127.0.0.1/8
|
||||
IPv6_address ::1/128
|
||||
IPv6_address fe80::/64 # link-local addresses
|
||||
IPv4_address {{ wg_ip }}
|
||||
{% for address in interfaces | map(attribute='ip_addresses') | flatten | sort(attribute='address') %}
|
||||
IPv{{ address.family.value }}_address {{ address.address }}
|
||||
{% endfor %}
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue