From 3ef5d11bdff92bf73ccd35bc6af5823a60d51f3b Mon Sep 17 00:00:00 2001 From: Jelle van der Waa Date: Thu, 12 Aug 2021 21:13:27 +0200 Subject: [PATCH] Update firewalld.conf --- roles/firewalld/templates/firewalld.conf.j2 | 23 +++++++++------------ 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/roles/firewalld/templates/firewalld.conf.j2 b/roles/firewalld/templates/firewalld.conf.j2 index 12742221..2cbf0f3d 100644 --- a/roles/firewalld/templates/firewalld.conf.j2 +++ b/roles/firewalld/templates/firewalld.conf.j2 @@ -7,10 +7,17 @@ DefaultZone=public # Clean up on exit # If set to no or false the firewall configuration will not get cleaned up -# on exit or stop of firewalld +# on exit or stop of firewalld. # Default: yes CleanupOnExit=yes +# Clean up kernel modules on exit +# If set to yes or true the firewall related kernel modules will be +# unloaded on exit or stop of firewalld. This might attempt to unload +# modules not originally loaded by firewalld. +# Default: no +CleanupModulesOnExit=no + # Lockdown # If set to enabled, firewall changes with the D-Bus interface will be limited # to applications that are listed in the lockdown whitelist. @@ -45,6 +52,8 @@ LogDenied=off # Choices are: # - nftables (default) # - iptables (iptables, ip6tables, ebtables and ipset) +# Note: The iptables backend is deprecated. It will be removed in a future +# release. FirewallBackend=nftables # FlushAllOnReload @@ -61,15 +70,3 @@ FlushAllOnReload=yes # internet. # Defaults to "yes". RFC3964_IPv4=yes - -# AllowZoneDrifting -# Older versions of firewalld had undocumented behavior known as "zone -# drifting". This allowed packets to ingress multiple zones - this is a -# violation of zone based firewalls. However, some users rely on this behavior -# to have a "catch-all" zone, e.g. the default zone. You can enable this if you -# desire such behavior. It's disabled by default for security reasons. -# Note: If "yes" packets will only drift from source based zones to interface -# based zones (including the default zone). Packets never drift from interface -# based zones to other interfaces based zones (including the default zone). -# Possible values; "yes", "no". Defaults to "no". -AllowZoneDrifting=no