2026-06-06 18:57:44 +02:00
|
|
|
#!/usr/sbin/nft -f
|
|
|
|
|
# Ansible managed — do not edit by hand. Source: roles/base (ADR-020).
|
|
|
|
|
flush ruleset
|
|
|
|
|
|
|
|
|
|
table inet filter {
|
|
|
|
|
chain input {
|
|
|
|
|
type filter hook input priority 0; policy drop;
|
2026-06-06 19:02:50 +02:00
|
|
|
iifname "lo" accept
|
2026-06-06 18:57:44 +02:00
|
|
|
ct state established,related accept
|
|
|
|
|
ct state invalid drop
|
2026-06-06 19:02:50 +02:00
|
|
|
iifname "{{ base__firewall_mgmt_interface }}" tcp dport {{ base__firewall_ssh_port }} accept
|
2026-06-09 17:40:01 +02:00
|
|
|
{% if base__firewall_control_addr %}
|
|
|
|
|
ip saddr {{ base__firewall_control_addr }} tcp dport {{ base__firewall_ssh_port }} accept
|
|
|
|
|
{% endif %}
|
2026-06-19 09:37:06 +02:00
|
|
|
{% for addr in base__firewall_admin_addrs %}
|
|
|
|
|
ip saddr {{ addr }} tcp dport {{ base__firewall_ssh_port }} accept
|
|
|
|
|
{% endfor %}
|
2026-06-06 18:57:44 +02:00
|
|
|
ip protocol icmp accept
|
|
|
|
|
ip6 nexthdr ipv6-icmp accept
|
|
|
|
|
{% for r in base__firewall_resolved %}
|
|
|
|
|
ip saddr { {{ r.sources | join(', ') }} } {{ r.proto }} dport {{ r.port }} accept
|
|
|
|
|
{% endfor %}
|
|
|
|
|
}
|
2026-06-19 09:37:06 +02:00
|
|
|
chain forward { type filter hook forward priority 0; policy {{ 'accept' if base__firewall_input_only | bool else 'drop' }}; }
|
2026-06-06 18:57:44 +02:00
|
|
|
chain output { type filter hook output priority 0; policy accept; }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
include "{{ base__firewall_dropin_dir }}/*.nft"
|