FlatKey.firewalld

Panoramica Versioni Approfondimenti

ansible-firewalld-role

=========

This role helps you set up and manage firewalld, a firewall management tool.

Configuration Options

  • Default zone
  • Interface for a zone
  • Source for a zone
  • Service rules (including the option to remove undefined rules)
  • Port rules
  • Rich rules

Requirements

  • Works with RHEL 7, CentOS 7, and Fedora 29 only.
  • Requires Ansible version 2.0 or higher.

Role Variables

You don’t need to use all variable blocks; only use the ones you actually need.

Default Zone

This variable sets the default zone of firewalld:

default_zone: (optional, default: public)

Interface Assignments

These variables specify which interfaces belong to which zones:

firewalld_zone_interfaces:
  - name: (required, e.g. public)
    interfaces: (required, list of one or more interfaces)

Example:

firewalld_zone_interfaces:
  - name: trusted
    interfaces:
      - eth1
      - eth2
  - name: public
    interfaces:
      - eth0

Zone Sources

These variables define the source addresses for a zone:

firewalld_zone_source:
  public:
    zone: (required, zone name)
    source: (required, list of sources, e.g. [ 192.168.1.1/24, 10.16.16.23 ])
    state: (optional, values: enabled|disabled, default: enabled)
    permanent: (optional, values: true|false, default: true)
    immediate: (optional, values: true|false, default: true)

Service Rules

These variables set the rules for services:

firewalld_service_rules: 
  name:
    service: (optional, default: name if service not defined)
    state: (optional, values: enabled|disabled, default: enabled)
    zone: (optional, default: public)
    permanent: (optional, values: true|false, default: true)
    immediate: (optional, values: true|false, default: true)

Examples:

firewalld_service_rules: 
  ssh:
    state: enabled
    zone: public
    permanent: true
    immediate: true

or

firewalld_service_rules:
    ssh_trusted:
        service: ssh
        state: enabled
        zone: trusted
    ssh_public:
        service: ssh
        state: enabled
        zone: public

Purging Undefined Rules

These variables control if undefined active service and port rules should be removed:

firewalld_purge_services: (optional, values: true|false, default: false)
firewalld_purge_ports: (optional, values: true|false, default: false)

Port Rules

These variables define rules for ports:

firewalld_port_rules:
  name:
    port: (required, port or range)
    protocol: (optional, values: tcp|udp, default: tcp)
    state: (optional, values: enabled|disabled, default: enabled)
    zone: (optional, default: public)
    permanent: (optional, values: true|false, default: true)
    immediate: (optional, values: true|false, default: true)

Rich Rules

These variables define rich rules:

firewalld_rich_rules:
  name:
    rule: (required, a full rule in firewalld rich language)
    state: (optional, values: enabled|disabled, default: enabled)
    zone: (optional, default: public)
    permanent: (optional, values: true|false, default: true)
    immediate: (optional, values: true|false, default: true)

You can also define ipsets; only the hash:ip type is supported. Note that ipsets created outside this variable won’t be managed:

firewalld_ipsets:
 - name: example1
   entries:
   - 192.168.0.1
   - 192.168.0.5
 - name: example2
   entries:
   - 192.168.0.7
   - 192.168.0.11

Handlers

These handlers are included in this role:

  • Restart firewalld

Example Playbook

- hosts: server
  become: yes
  become_user: root
  become_method: su
  roles:
    - ansible-firewalld-role
  vars:
    default_zone: public
    firewalld_zone_interfaces:
      - name: trusted
        interfaces:
          - eth1
          - eth2
      - name: public
        interfaces:
          - eth0
    firewalld_zone_source:
      trusted:
        zone: trusted
        source:
          - "192.168.1.0/24"
          - "10.0.16.12"
        state: enabled
        permanent: true
        immediate: true
    firewalld_service_rules:
      ssh:
        state: enabled
        zone: public
        permanent: true
        immediate: true
    firewalld_port_rules:
      smtp:
        port: 25
        protocol: tcp
        state: enabled
        zone: public
        permanent: true
        immediate: true
    firewalld_rich_rules:
      ftp_audit:
        rule: 'rule service name="ftp" audit limit value="1/m" accept'
        state: enabled
        zone: public
        permanent: true
        immediate: true
    firewalld_ipsets:
      - name: example1
        entries:
        - 192.168.0.1
        - 192.168.0.5
      - name: example2
        entries:
        - 192.168.0.7
        - 192.168.0.11
    firewalld_purge_services: true
    firewalld_purge_ports: true

License

MIT

Informazioni sul progetto

firewalld configuration through variables

role centos centos7 fedora firewall firewalld network networking rhel rhel7 security system
Installa
ansible-galaxy install FlatKey.firewalld
GitHub repository
18 stelle
13 fork
6 problemi aperti
Licenza
mit
Download
2.1k
Proprietario