e2dbda1bec
Our deployment tests don't need to send E-mail messages. More to the point, they may perform actions which would like to send E-mail messages. Make sure, at the network level, they'll be prevented from doing so. Also allow all connections to egress from the loopback interface, so that services like mailman can connect to the Exim MTA on localhost. Add new rolevars for egress rules to support this, and also fix up some missing related vars in the iptables role's documentation. Change-Id: If4acd2d3d543933ed1e00156cc83fe3a270612bd
15 lines
552 B
Django/Jinja
15 lines
552 B
Django/Jinja
# If the bastion ipv4 or v6 addresses aren't available (because this
|
|
# job runs in an environment without them) just fall back to the
|
|
# defaults for the real bridge.
|
|
{% if bastion_ipv4 %}
|
|
bastion_ipv4: {{ bastion_ipv4 }}
|
|
{% endif %}
|
|
{% if bastion_ipv6 %}
|
|
bastion_ipv6: {{ bastion_ipv6 }}
|
|
{% endif %}
|
|
bastion_public_key: {{ bastion_public_key }}
|
|
iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}
|
|
iptables_egress_rules:
|
|
- -o lo -j ACCEPT
|
|
- -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
|