firewall

Firewall

Galaxy Build Status

This role will install and configure the firewall. It supports iptables, firewalld, and pf.

For Ubuntu and RHEL/CentOS 6, an iptables template is copied and the iptables service is invoked. For RHEL/CentOS 7 or later, the firewalld module is used to configure the firewall.

For macOS, a pf.conf template is used. The application firewall can be disabled or enabled. If enabled, stealth mode will be disabled since the pf.conf template manages the same rules set my stealth mode.

firewalld rules are currently additive and will not "clean up" the firewall on a running system.

Dependencies

  • ansible.posix collection

Role Variables

These variables apply to all firewall types:

Name Default Value Description
firewall_strict false Set default policy to DROP and restrict types of ICMP traffic
firewall_default_drop false Set default policy to DROP
firewall_allow_icmp true Allow all ICMP traffic. Has no affect if firewall_strict is True
firewall_allowed_tcp_ports ['22'] List of allowed TCP ports
firewall_allowed_udp_ports ['161'] List of allowed UDP ports
firewall_rich_rules [] Specify a source IP and destination port instead of opening the port globally. Optionally allow it only if it is new. With iptables, this adds rules to the iptables config file. With firewalld, this creates rich rules to the specified zone.
firewall_custom_pf_rules [] Rules insterted verbatim for pf at the end of all other filter rules. Make sure the syntax is correct.
firewall_nat_rules [] List of ports and their protocols to NAT. With iptables, add prerouting rules to the NAT table. With firewalld, adds rich rules to the specified zone.

firewalld specific variables:

Name Default Value Description
firewall_firewalld_rules [] List of rules to pass to the firewalld module. Each module argument is optional.

iptables specific variables:

Name Default Value Description
firewall_custom_iptables_rules [] Rules inserted verbatim for iptables. Make sure the syntax is correct.

macOS (pf) and application firewall specific variables. The custom rules are inserted in the appropciate section in the pf.conf template. The syntax must be correct or valiadtion will fail. See the man page of pf.conf for details.:

Name Default Value Description
firewall_alf_global_state on State of the macOS application firewall.
firewall_custom_pf_macros [] Custom pf macros.
firewall_custom_pf_table_rules [] Custom pf table rules.
firewall_custom_pf_options [] Custom pf options.
firewall_custom_pf_normalization_rules [] Custom pf normalation rules.
firewall_custom_pf_queuing_rules [] Custom pf queuing rules.
firewall_custom_pf_filter_rules [] Custom pf filter rules.

Examples:

firewall_nat_rules
  - protocol: tcp
    original_port: 4022
    translated_port: 22

firewall_rich_rules:
  - source: '10.0.1.17'
    protocol: 'tcp'
    dest_port: 22
    new: true

  - source: '192.168.0.0/24'
    protocol: 'tcp'
    dest_port: 22

firewall_custom_iptables_rules:
  - 'custom rule one'
  - 'custom rule two'

firewall_firewalld_rules:
  - port: 4444
    protocol: tcp

  - service: ceph
    timeout: 99

firewall_custom_pf_rules:
  -

Example Playbooks

Restricts ICMP traffic, sets the default policy to DROP, passes in TCP and UDP ports to open:

- hosts: all
  roles:
    - role: sdoran.firewall
      vars:
        firewall_strict: true
        firewall_allowed_tcp_ports:
          - 22
          - 80
          - 443
        firewall_allowed_udp_ports:
          - 123
          - 67

Use advanced rules to restrict access to services based on IP on subnet:

- hosts: all
  vars:
    firewall_rich_rules:
      - source: 192.168.40.64/29
        protocol: 'tcp'
        dest_port: '22'

      - source: 192.168.41.0/24
        protocol: 'tcp'
        dest_port: '443'

  roles:
    - sdoran.firewall

NAT port to a service not running as root on a port <1024:

- hosts: all
  vars:
    firewall_nat_rules:
      - protocol: tcp
        original_port: 514
        translated_port: 5599

Use a custom port for SSH and block the default port.

- hosts: all
  vars:
    firewall_allowed_tcp_ports: []
    firewall_nat_rules:
      - protocol: tcp
        original_part: 2022
        translated_port: 22

License

Apache 2.0

About

Install and configure the firewall on Linux and macOS

Install
ansible-galaxy install samdoran/ansible-role-firewall
GitHub repository
License
Unknown
Downloads
53
Owner
Former Ansible Core Maintainer. Pythonista.