ISTI-ansible-roles
/
ansible-role-linux-firewall
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
ansible-role-linux-firewall/README.md

73 lines
2.2 KiB
Markdown
Raw Blame History

Role Name
=========
A role that configures firewall rules on a Linux system
Role Variables
--------------
The most important variables are listed below:
``` yaml
# Base iptables rules, they use netfilter-persistent
iptables:
tcp_rules: True
tcp:
- { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
udp_rules: True
udp:
- { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
iptables_default_policy: ACCEPT
iptables_nat_enabled: False
iptables_nat_specify_interfaces: True
iptables_post_nat_enabled: False
iptables_nat_interfaces:
- '{{ ansible_default_ipv4.interface }}'
iptables_input_default_policy: '{{ iptables_default_policy }}'
iptables_forward_default_policy: '{{ iptables_default_policy }}'
iptables_banned_default_policy: DROP
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
nagios_enabled: False
tomcat_cluster_enabled: False
# Another variable needs to be defined before the db rules are set
psql_firewall_enabled: True
mysql_firewall_enabled: True
#
# Firewalld (CentOS only)
#
firewalld_enabled: True
firewalld_default_zone: public
firewalld_ssh_enabled_on_default_zone: True
firewalld_rules:
# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
#firewalld_new_services:
# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
# We execute direct rules as they are written
# firewalld_direct_rules:
# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
# firewalld_zones_interfaces:
# - { interface: 'eth1', zone: 'internal' }
```
Dependencies
------------
None
License
-------
EUPL-1.2
Author Information
------------------
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>
View Git Blame Copy Permalink