shorewall

Shorewall Role

This role is used to configure a shorewall and shorewall6 firewall.

If you are on CentOS or Fedora, the firewalld service will be stopped and firewalld will be removed from the system. If you configure the shorewall_configopts or shorewall6_configopts, then shorewall and shorewall6 will be configured. Only the files in the _configopts list will be managed by shorewall.

Ansible Galaxy

Requirements

All included in ansible-base package.

Role Variables

There are a lot of variables to list out so I have opted for a working example, minus some private information. All the variables that match shorewall_group_ or shorewall6_group_ also have a corresponding shorewall_host_ and shorewall6_host with identical options. The templates are setup to put the group rules before the host rules.


shorewall:
  install: true
  service: true

shorewall6:
  install: true
  service: true

shorewall_configfiles:
  - shorewall.conf
  - params
  - interfaces
  - zones
  - hosts
  - policy
  - rules

shorewall6_configfiles:
  - shorewall6.conf
  - params
  - interfaces
  - zones
  - hosts
  - policy
  - rules

shorewall_configopts:
  ip_forwarding: "keep"
  implicit_continue: "yes"
  clampmss: "no"
  startup_enabled: "yes"

shorewall6_configopts:
  ip_forwarding: keep
  implicit_continue: yes
  clampmss: no
  startup_enabled: yes

shorewall_group_params:
  - variable:
    value:
    comment:

shorewall_group_zones:
  - name: fw
    type: firewall
    comment: the local firewall
  - name: net
    type: ipv4
  - name: trust:net
    type: ipv4
    comment: trusted hosts

shorewall_group_interfaces:
  - zone: net
    interface: $NET_IF
    options: dhcp

shorewall_group_hosts:
  - zone: trust
    hosts: $NET_IF:1.2.3.100
    comment: work isp1
  - zone: trust
    hosts: $NET_IF:2.3.4.100
    comment: work isp2
  - zone: trust
    hosts: $NET_IF:3.4.5.100
    comment: someuser
  - zone: trust
    hosts: $NET_IF:10.0.0.0/22
    comment: work internal

shorewall_group_policy:
  - source: $FW
    dest: all
    policy: ACCEPT
  - source: trust
    dest: all
    policy: CONTINUE
  - source: net
    dest: $FW
    policy: DROP
    loglevel: info
  - source: all
    dest: all
    policy: REJECT
    loglevel: info

shorewall_group_rules:
  - section: new
    action: ACCEPT
    source: all
    dest: all
    proto: icmp
    dport: 8
    sport: "-"
    origdest: "-"
    comment: allow icmp pings
  - section: new
    action: ACCEPT
    source: trust
    dest: $FW
    proto: tcp
    dport: 22
    sport: "-"
    origdest: "-"
    comment: allow ssh from trusted

shorewall6_group_zones:
  - name: fw
    type: firewall
    comment: the local firewall
  - name: net
    type: ipv6
  - name: trust:net
    type: ipv6

shorewall6_group_interfaces:
  - zone: net
    interface: $NET_IF
    options: dhcp

shorewall6_group_hosts:
  - zone: trust
    hosts: $NET_IF:[2001:db8::/64]
    comment: office network
  - zone: trust
    hosts: $NET_IF:[2001:db9::/64]
    comment: home office

shorewall6_group_policy:
  - source: $FW
    dest: all
    policy: ACCEPT
  - source: trust
    dest: all
    policy: CONTINUE
  - source: net
    dest: $FW
    policy: DROP
    loglevel: info
  - source: all
    dest: all
    policy: REJECT
    loglevel: info

shorewall6_group_rules:
  - section: new
    action: ACCEPT
    source: all
    dest: all
    proto: icmp
    dport: 8
    sport: "-"
    origdest: "-"
    comment: allow icmp pings
  - section: new
    action: ACCEPT
    source: trust
    dest: $FW
    proto: tcp
    dport: 22
    sport: "-"
    origdest: "-"
    comment: allow ssh from trusted zone to the firewall

Dependencies

None

Example Playbook

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

- hosts: all
  roles:
     - neoloc.shorewall

License

See license.md

Author Information

Github

About

install and configure shorewall/shorewall6 firewalls

Install
ansible-galaxy install neoloc/ansible-role-shorewall
GitHub repository
License
Unknown
Downloads
39
Owner
Linux, Ansible, Python... Tinkering sysadmin.