Firewall¶
Overview of firewall protection¶
Some of the protections are:
- syncookie protection
- disable proxy-ARP
- ignore faulty ICMP answers
- ignore ICMP echo-broadcasts
- icmp ratelimit
- set tcp-fin-timeout to 30
- deny private networks
- block specific IPs
- limit max current tcp connections from one ip
- defend portscans
- defend ping-of-death
- deny invalid packages
In addition to that we only allow a very limited number of open ports for both inbound and outbound that are actually open, everything else is stealth.
Configuring the firewall¶
When ever you've changed any firewall configuration, deploy that by calling this:
1 |
|
Inbound and outbound port configuration¶
The firewall configuration happens in the common
role and in their default variables, all the inbound and outbound ports are defined with these values:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
|
You can overwrite these values in your own inventory.