Ansible Role firewall

This role configures a firewall on the system. For the currently supported firewalls, see the options for the firewall__firewall variable below.

Mandatory Requirements

When using firewall__firewall == fwbuilder, you either need to manually deploy a Firewall Builder file to /etc/fwb.sh or use the firewall__fwbuilder_repo_url variable to clone the Firewall Builder files automatically.

Optional Requirements

When using firewall__firewall == iptables, you can place an iptables config file in your inventory, which will be deployed to the system. The file has to be placed into {{ inventory_dir }}/host_files/{{ inventory_hostname }}/etc/sysconfig/iptables.

Tags

Tag

What it does

Reload / Restart

firewall

Configures a firewall on the system

Stops and masks:

firewalld.service
fwb.service
iptables.service
nftables.service
ufw.service

Starts and unmasks the firewall which is defined in firewall__firewall

firewall:deploy_fwb_sh

Deploys the /etc/fwb.sh file for Firewall Builder

Restarts fwb.service

firewall:firewalld

Manages firewalld

Reloads firewalld.service

Optional Role Variables

Variable	Description	Default Value
`firewall__firewall`	Which firewall should be activated and configured. All other firewalls will be disabled. Possible options: `'None'` `'firewalld'` `'fwbuilder'` `'iptables'` `'nftables'` `'ufw'`	`'fwbuilder'`
`firewall__firewalld_ports__group_var` / `firewall__firewalld_ports__host_var`	List of dictionaries defining the FirewallD ports. Subkeys: `port`: Mandatory, string. Port or port range. `state`: Optional, string. State of the port. Either `enabled` or `disabled`. Defaults to `enabled.	`[]`
`firewall__firewalld_services__group_var` / `firewall__firewalld_services__host_var`	List of dictionaries defining the FirewallD services. Subkeys: `port`: Mandatory, string. Name of the service. `state`: Optional, string. State of the service. Either `enabled` or `disabled`. Defaults to `enabled.	`[]`
`firewall__fwbuilder_fw_file`	The name of the Firewall Builder file which will be created when compiling the firewall in Firewall Builder. Needed if `firewall__fwbuilder_repo_url` is used and if the Firewall name within Firewall Builder differs from `{{ inventory_hostname }}`	`{{ inventory_hostname }}`
`firewall__fwbuilder_repo_url`	The GIT repository URL to clone the compiled firewall files from.	`unset`

Example:

# optional
firewall__firewall: 'fwbuilder'
firewall__firewalld_ports__group_var: []
firewall__firewalld_ports__host_var:
  - port: '1234/tcp'
    state: 'enabled'
firewall__firewalld_services__group_var: []
firewall__firewalld_services__host_var:
  - service: 'ssh'
    state: 'enabled'
firewall__fwbuilder_fw_file: 'example.fw'
firewall__fwbuilder_repo_url: 'git@git.example.com:fwbuilder/fwb.git'

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich