firewall

Firewall

This role will install and configure the firewall. It supports iptables, firewalld, and pf.

For Ubuntu and RHEL/CentOS 6, an iptables template is copied and the iptables service is invoked. For RHEL/CentOS 7 or later, the firewalld module is used to configure the firewall.

For macOS, a pf.conf template is used. The application firewall can be disabled or enabled. If enabled, stealth mode will be disabled since the pf.conf template manages the same rules set my stealth mode.

firewalld rules are currently additive and will not "clean up" the firewall on a running system.

Dependencies

ansible.posix collection

Role Variables

These variables apply to all firewall types:

Name	Default Value	Description
`firewall_strict`	`false`	Set default policy to `DROP` and restrict types of ICMP traffic
`firewall_default_drop`	`false`	Set default policy to `DROP`
`firewall_allow_icmp`	`true`	Allow all ICMP traffic. Has no affect if `firewall_strict` is `True`
`firewall_allowed_tcp_ports`	`['22']`	List of allowed TCP ports
`firewall_allowed_udp_ports`	`['161']`	List of allowed UDP ports
`firewall_rich_rules`	`[]`	Specify a source IP and destination port instead of opening the port globally. Optionally allow it only if it is new. With `iptables`, this adds rules to the `iptables` config file. With `firewalld`, this creates rich rules to the specified zone.
`firewall_custom_pf_rules`	`[]`	Rules insterted verbatim for `pf` at the end of all other filter rules. Make sure the syntax is correct.
`firewall_nat_rules`	`[]`	List of ports and their protocols to NAT. With `iptables`, add prerouting rules to the `NAT` table. With `firewalld`, adds rich rules to the specified zone.

firewalld specific variables:

Name	Default Value	Description
`firewall_firewalld_rules`	`[]`	List of rules to pass to the `firewalld` module. Each module argument is optional.

iptables specific variables:

Name	Default Value	Description
`firewall_custom_iptables_rules`	`[]`	Rules inserted verbatim for `iptables`. Make sure the syntax is correct.

macOS (pf) and application firewall specific variables. The custom rules are inserted in the appropciate section in the pf.conf template. The syntax must be correct or valiadtion will fail. See the man page of pf.conf for details.:

Name	Default Value	Description
`firewall_alf_global_state`	`on`	State of the macOS application firewall.
`firewall_custom_pf_macros`	`[]`	Custom `pf` macros.
`firewall_custom_pf_table_rules`	`[]`	Custom `pf` table rules.
`firewall_custom_pf_options`	`[]`	Custom `pf` options.
`firewall_custom_pf_normalization_rules`	`[]`	Custom `pf` normalation rules.
`firewall_custom_pf_queuing_rules`	`[]`	Custom `pf` queuing rules.
`firewall_custom_pf_filter_rules`	`[]`	Custom `pf` filter rules.

Examples:

firewall_nat_rules
  - protocol: tcp
    original_port: 4022
    translated_port: 22

firewall_rich_rules:
  - source: '10.0.1.17'
    protocol: 'tcp'
    dest_port: 22
    new: true

  - source: '192.168.0.0/24'
    protocol: 'tcp'
    dest_port: 22

firewall_custom_iptables_rules:
  - 'custom rule one'
  - 'custom rule two'

firewall_firewalld_rules:
  - port: 4444
    protocol: tcp

  - service: ceph
    timeout: 99

firewall_custom_pf_rules:
  -

Example Playbooks

Restricts ICMP traffic, sets the default policy to DROP, passes in TCP and UDP ports to open:

- hosts: all
  roles:
    - role: sdoran.firewall
      vars:
        firewall_strict: true
        firewall_allowed_tcp_ports:
          - 22
          - 80
          - 443
        firewall_allowed_udp_ports:
          - 123
          - 67

Use advanced rules to restrict access to services based on IP on subnet:

- hosts: all
  vars:
    firewall_rich_rules:
      - source: 192.168.40.64/29
        protocol: 'tcp'
        dest_port: '22'

      - source: 192.168.41.0/24
        protocol: 'tcp'
        dest_port: '443'

  roles:
    - sdoran.firewall

NAT port to a service not running as root on a port <1024:

- hosts: all
  vars:
    firewall_nat_rules:
      - protocol: tcp
        original_port: 514
        translated_port: 5599

Use a custom port for SSH and block the default port.

- hosts: all
  vars:
    firewall_allowed_tcp_ports: []
    firewall_nat_rules:
      - protocol: tcp
        original_part: 2022
        translated_port: 22

License

Apache 2.0

About

Install and configure the firewall on Linux and macOS

role bpf firewall firewalld iptables linux macos system

Install

ansible-galaxy install samdoran/ansible-role-firewall

GitHub repository

7 stars

8 forks

1 open issues

License

Unknown

Downloads

Owner

Sam Doran

Former Ansible Core Maintainer. Pythonista.