ansible-role-csf/defaults/main.yml

---
# csf/defaults/main.yml

csf_tmp_dir: "/usr/src"

csf_required_packages:
  - iptables
  - perl
  - unzip
  - tar
  - net-tools

csf_global_ini_core:
  - option: TESTING
    value: "0"
  - option: AUTO_UPDATES
    value: "1"
  - option: PORTS_sshd
    value: "{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }}"

csf_global_ini:
  - option: RESTRICT_UI
    value: "2"
  - option: RESTRICT_SYSLOG
    value: "2"
  - option: URLGET
    value: "2"
  - option: USE_CONNTRACK
    value: "1"
  - option: TCP_IN
    value: "80,443,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
  - option: TCP_OUT
    value: "20,21,22,25,37,43,53,80,123,443,873,953,8080,9418,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
  - option: UDP_IN
    value: "53"
  - option: UDP_OUT
    value: "20,21,43,53,113,123,58745,30000:65535"

#csf_allow:
#  - 10.10.10.10
#  - 172.16.1.1/29

#csf_ignore:
#  - 10.10.10.10
#  - 172.16.1.1/29

#csf_pignore:
#  - 'exe:/usr/sbin/nginx'
#  - 'user:mysql'

#csf_fignore:
#  - '/tmp/\.horde'
#  - '/tmp/\.horde/.*'

#csf_blocklists:
#  - "SPAMDROP"

#csf_dyndns:
#  - "no-ip.com"

#csf_csfpre_sh: |
#  #!/bin/bash
#  /sbin/iptables -t nat -F POSTROUTING

#csf_csfpost_sh: |
#  #!/bin/bash
#  /sbin/iptables -t nat -F POSTROUTING

# Host based custom allow rules
#csf_allow_host: 
#  - 'tcp|in|d=22|s=1.1.1.1'

#csf_ignore_host: 
#  - '1.1.1.1'

#csf_pignore_host:
#  - 'exe:/usr/sbin/nginx'
#  - 'user:mysql'

#csf_fignore_host:
#  - '/tmp/\.horde'
#  - '/tmp/\.horde/.*'

#csf_blocklists_host:
#  - "SPAMDROP"

#csf_dyndns_host:
#  - "no-ip.com"

#csf_csfpre_sh_host: |
#  #!/bin/bash
#  /sbin/iptables -t nat -F POSTROUTING

#csf_csfpost_sh_host: |
#  #!/bin/bash
#  /sbin/iptables -t nat -F POSTROUTING