# {{ ansible_managed }}

domain (ip) {
    table filter {
        chain INPUT {
            policy DROP;

            # connection tracking.
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;

            # allow local packet.
            interface lo ACCEPT;

            # respond to ping.
            proto icmp ACCEPT;

            # allow SSH connections.
            proto tcp dport ssh ACCEPT;

{% if group == "galera" %}

            # Allow Galera servers to access each other for syncing.
            interface {{ segment.mgmt.interface }}
            proto (tcp udp) dport (3306 4567 4568 4444)
            saddr ({{ ip.galera[segment.mgmt.network] | map(attribute='address') | join(' ') }}) 
            ACCEPT;
{% endif %}
{% if firewall is defined %}
{% for rule in firewall %}

            # {{ rule.description }}
            interface {{ segment[rule.segment].interface }}
            proto {{ rule.proto }} dport {{ rule.port }}
            saddr {{ rule.source }}
            ACCEPT;
{% endfor %}
{% endif %}

            # Log blocked messages.
            NFLOG nflog-group 1 nflog-prefix 'DROP: ';
        }
        chain OUTPUT {
            policy ACCEPT;
            mod state state (ESTABLISHED RELATED) ACCEPT;
        }
        chain FORWARD {
            policy DROP;
        }
    }
}

@include ferm.d/;