dubzland.shorewall
Dubzland: Shorewall
This project sets up and configures the Shorewall firewall.
Requirements
You need Ansible version 2.0 or higher, and the netaddr Python package.
Role Variables
Here are the variables you can set, along with their default values (check defaults/main.yml for more details):
dubzland_shorewall_conf
dubzland_shorewall_conf:
startup_enabled: "Yes"
verbosity: 1
log_level: '"info"'
log_martians: "Yes"
log_verbosity: 2
log_zone: Both
logfile: /var/log/shorewall
logformat: '"%s(%d) %s "'
These options will be included in /etc/shorewall/shorewall.conf. You can use either upper- or lower-case for option names (they will be saved in uppercase). More information is available in the shorewall.conf manual.
dubzland_shorewall_params
dubzland_shorewall_params: []
This is a list of key-value pairs to be written to /etc/shorewall/params. For more details, see the params manual.
dubzland_shorewall_zones
dubzland_shorewall_zones:
- name: fw
type: firewall
- name: net
type: ipv4
- name: lan
type: ipv4
These zones will be listed in /etc/shorewall/zones. More details can be found in the zones manual.
dubzland_shorewall_interfaces
dubzland_shorewall_interfaces:
- name: eth0
zone: net
options:
- tcpflags
- nosmurfs
- routefilter
- "sourceroute=0"
- name: eth1
zone: lan
options:
- tcpflags
- nosmurfs
- routefilter
List of interfaces that Shorewall will configure in /etc/shorewall/interfaces. More info can be found in the interfaces manual.
dubzland_shorewall_hosts
dubzland_shorewall_hosts: []
This specifies hosts that can be routed but are not directly accessible by the firewall.
dubzland_shorewall_policies
dubzland_shorewall_policies:
- source: "$FW"
dest: all
policy: ACCEPT
- source: net
dest: all
policy: REJECT
- source: all
dest: all
policy: REJECT
log_level: info
Policies that inform Shorewall how to handle packets based on their zones. More details are available in the policy manual.
dubzland_shorewall_snat
dubzland_shorewall_snat:
- action: MASQUERADE
dest: eth0
This sets up SNAT/Masquerading for iptables, which is needed for network address translation (NAT) on outbound traffic. More info can be found in the snat manual.
dubzland_shorewall_rules
dubzland_shorewall_rules:
- section: NEW
rulesets:
- comment: PINGS
rules:
- action: Ping(ACCEPT)
source: all
dest: all
- comment: Web traffic
rules:
- action: Web(ACCEPT)
source: $FW,lan
dest: net
This section configures the rules that Shorewall uses to manage packets passing through its interfaces. More information is in the rules manual.
Dependencies
None.
Example Playbook
Here’s an example for a machine with two network interfaces (eth0 connected to the Internet, eth1 connected to the LAN):
- hosts: firewall
become: yes
roles:
- role: dubzland-shorewall
vars:
dubzland_shorewall_zones:
- name: fw
type: firewall
- name: net
type: ipv4
- name: lan
type: ipv4
dubzland_shorewall_interfaces:
- name: eth0
zone: net
options:
- tcpflags
- nosmurfs
- routefilter
- "sourceroute=0"
- name: eth1
zone: lan
options:
- tcpflags
- nosmurfs
- routefilter
dubzland_shorewall_policies:
- source: "$FW"
dest: all
policy: ACCEPT
- source: net
dest: all
policy: REJECT
- source: all
dest: all
policy: REJECT
log_level: info
dubzland_shorewall_snat:
- action: MASQUERADE
dest: eth0
dubzland_shorewall_rules:
- section: NEW
rulesets:
- comment: Pings
rules:
- action: Ping(ACCEPT)
source: all
dest: all
- comment: Web Surfing
rules:
- action: Web(ACCEPT)
source: lan
dest: net
- action: ACCEPT
source: lan
dest: net
proto: udp
dest_ports:
- 80
- 443
This setup allows everyone to ping the firewall, and clients on the LAN can ping external hosts. All LAN clients can also browse the web.
License
MIT