summaryrefslogtreecommitdiff
path: root/guest-firewall.yml
diff options
context:
space:
mode:
Diffstat (limited to 'guest-firewall.yml')
-rw-r--r--guest-firewall.yml18
1 files changed, 18 insertions, 0 deletions
diff --git a/guest-firewall.yml b/guest-firewall.yml
new file mode 100644
index 0000000..eab04ec
--- /dev/null
+++ b/guest-firewall.yml
@@ -0,0 +1,18 @@
+- hosts: vms
+ become: true
+ vars:
+ nft_enabled: true
+ nft_main_conf_content: "templates/etc/nftables.conf.j2"
+ nft_flush_table_target: 'inet filter'
+ nft_output_default_rules:
+ 000 policy:
+ - type filter hook output priority 0; policy accept;
+ nft_input_rules:
+ 014 allow snmp:
+ - udp dport 161 accept
+ - tcp dport 161 accept
+ 014 allow icmp ping:
+ - meta l4proto icmp icmp type { echo-request, echo-reply } counter accept
+ - meta l4proto ipv6-icmp icmpv6 type { echo-request, echo-reply } counter accept
+ roles:
+ - role: ipr-cnrs.nftables