ansible-role-csf/defaults/main.yml

---
# csf/defaults/main.yml

csf_tmp_dir: "/usr/src"

csf_required_packages:
  - iptables
  - perl
  - unzip
  - tar
  - net-tools

csf_global_ini_core:
  - option: TESTING
    value: "0"
  - option: AUTO_UPDATES
    value: "1"
  - option: PORTS_sshd
    value: "{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }}"

csf_global_ini:
  - option: RESTRICT_UI
    value: "2"
  - option: RESTRICT_SYSLOG
    value: "2"
  - option: URLGET
    value: "2"
  - option: USE_CONNTRACK
    value: "1"
  - option: TCP_IN
    value: "80,443,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
  - option: TCP_OUT
    value: "20,21,22,25,37,43,53,80,123,443,873,953,8080,9418,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
  - option: UDP_IN
    value: "53"
  - option: UDP_OUT
    value: "20,21,43,53,113,123,58745,30000:65535"

# csf_allow:
#   - 10.10.10.10
#   - 172.16.1.1/29

# csf_ignore:
#   - 10.10.10.10
#   - 172.16.1.1/29

# csf_pignore:
#   - 'exe:/usr/sbin/nginx'
#   - 'user:mysql'

# csf_fignore:
#   - '/tmp/\.horde'
#   - '/tmp/\.horde/.*'

# csf_blocklists:
#   - "SPAMDROP"

# csf_dyndns:
#   - "no-ip.com"

# csf_csfpre_sh: |
#   #!/bin/bash
#   /sbin/iptables -t nat -F POSTROUTING

# csf_csfpost_sh: |
#   #!/bin/bash
#   /sbin/iptables -t nat -F POSTROUTING

# Host based custom allow rules
# csf_allow_host: 
#   - 'tcp|in|d=22|s=1.1.1.1'

# csf_ignore_host: 
#   - '1.1.1.1'

# csf_pignore_host:
#   - 'exe:/usr/sbin/nginx'
#   - 'user:mysql'

# csf_fignore_host:
#   - '/tmp/\.horde'
#   - '/tmp/\.horde/.*'

# csf_blocklists_host:
#   - "SPAMDROP"

# csf_dyndns_host:
#   - "no-ip.com"

# csf_csfpre_sh_host: |
#   #!/bin/bash
#   /sbin/iptables -t nat -F POSTROUTING

# csf_csfpost_sh_host: |
#   #!/bin/bash
#   /sbin/iptables -t nat -F POSTROUTING