1 | shorewall_simple
|
---|
2 | ================
|
---|
3 |
|
---|
4 | _WARNING: This role can be dangerous to use. If you lose network connectivity
|
---|
5 | to your target host by incorrectly configuring your firewall, you may be
|
---|
6 | unable to recover without physical access to the machine._
|
---|
7 |
|
---|
8 | This role installs and configures Shorewall for a simple, single network interface (can be a bond, of course) server.
|
---|
9 |
|
---|
10 | Requirements
|
---|
11 | ------------
|
---|
12 |
|
---|
13 | This role requires Ansible 1.4 or higher and platform requirements are listed
|
---|
14 | in the metadata file.
|
---|
15 |
|
---|
16 | Role Variables
|
---|
17 | --------------
|
---|
18 |
|
---|
19 | The variables that can be passed to this role and a brief description about
|
---|
20 | them are as follows. These are all based on the configuration variables of the
|
---|
21 | Shorewall configuration.
|
---|
22 |
|
---|
23 | shorewall_enabled: "Yes"
|
---|
24 | shorewall_startup: 1
|
---|
25 | shorewall_wait_interface: "eth0"
|
---|
26 | shorewall_options: ""
|
---|
27 | shorewall_startoptions: ""
|
---|
28 | shorewall_restartoptions: ""
|
---|
29 | shorewall_initlog: "/var/log/shorewall_init.log"
|
---|
30 | shorewall_safestop: 0
|
---|
31 |
|
---|
32 | shorewall_zones:
|
---|
33 | - zone: "fw"
|
---|
34 | type: "firewall"
|
---|
35 | - zone: "net"
|
---|
36 | type: "ipv4"
|
---|
37 | options="-"
|
---|
38 | options_in="strict"
|
---|
39 | options_out="-"
|
---|
40 |
|
---|
41 | shorewall_interfaces:
|
---|
42 | - interface: "eth0"
|
---|
43 | zone: "net"
|
---|
44 | broadcast: "detect"
|
---|
45 | options: "dhcp,tcpflags,nosmurfs,logmartians"
|
---|
46 |
|
---|
47 | shorewall_policies:
|
---|
48 | - source: "$FW"
|
---|
49 | destination: "net"
|
---|
50 | policy: "ACCEPT"
|
---|
51 | - source: "net"
|
---|
52 | destination: "$FW"
|
---|
53 | policy: "ACCEPT"
|
---|
54 | - source: "all"
|
---|
55 | destination: "all"
|
---|
56 | policy: "DROP"
|
---|
57 | log_level: "info"
|
---|
58 | burst_limit: "10/second:100"
|
---|
59 |
|
---|
60 | shorewall_rules:
|
---|
61 | - section: "NEW"
|
---|
62 | rules:
|
---|
63 | - action: "ACCEPT"
|
---|
64 | source: "net"
|
---|
65 | destination: "$FW"
|
---|
66 | protocol: "tcp"
|
---|
67 | destination_port: 22
|
---|
68 | source_port: "-"
|
---|
69 | original_destination: "-"
|
---|
70 | rate_limit: "-"
|
---|
71 | user_group: "-"
|
---|
72 | mark: "-"
|
---|
73 | connection_limit: "-"
|
---|
74 | time: "-"
|
---|
75 | headers: "-"
|
---|
76 | switch: "-"
|
---|
77 |
|
---|
78 | Examples
|
---|
79 | ========
|
---|
80 |
|
---|
81 | 1) Example allowing all traffic in and out
|
---|
82 |
|
---|
83 | - hosts: all
|
---|
84 | - roles:
|
---|
85 | - role: shorewall_simple
|
---|
86 | shorewall_enabled: "Yes"
|
---|
87 | shorewall_zones:
|
---|
88 | - zone: "fw"
|
---|
89 | type: "firewall"
|
---|
90 | - zone: "net"
|
---|
91 | type: "ipv4"
|
---|
92 | shorewall_interfaces:
|
---|
93 | - interface: "eth0"
|
---|
94 | zone: "net"
|
---|
95 | broadcast: "detect"
|
---|
96 | options: "dhcp,tcpflags,nosmurfs,logmartians"
|
---|
97 | shorewall_policies:
|
---|
98 | - source: "all"
|
---|
99 | destination: "all"
|
---|
100 | policy: "ACCEPT"
|
---|
101 |
|
---|
102 | 2) Example allowing all outgoing traffic but block incomming traffic and log
|
---|
103 | it, but allow incomming SSH traffic and accept Ping
|
---|
104 |
|
---|
105 | - hosts: all
|
---|
106 | - roles:
|
---|
107 | - role: shorewall_simple
|
---|
108 | shorewall_enabled: "Yes"
|
---|
109 | shorewall_zones:
|
---|
110 | - zone: "fw"
|
---|
111 | type: "firewall"
|
---|
112 | - zone: "net"
|
---|
113 | type: "ipv4"
|
---|
114 | shorewall_interfaces:
|
---|
115 | - interface: "eth0"
|
---|
116 | zone: "net"
|
---|
117 | broadcast: "detect"
|
---|
118 | options: "dhcp,tcpflags,nosmurfs,logmartians"
|
---|
119 | shorewall_policies:
|
---|
120 | - source: "$FW"
|
---|
121 | destination: "net"
|
---|
122 | policy: "ACCEPT"
|
---|
123 | - source: "net"
|
---|
124 | destination: "$FW"
|
---|
125 | policy: "DROP"
|
---|
126 | log_level: "info"
|
---|
127 | - source: "all"
|
---|
128 | destination: "all"
|
---|
129 | policy: "DROP"
|
---|
130 | shorewall_rules:
|
---|
131 | - section: "NEW"
|
---|
132 | rules:
|
---|
133 | - action: "Ping/ACCEPT"
|
---|
134 | source: "net"
|
---|
135 | destination: "$FW"
|
---|
136 | - action: "ACCEPT"
|
---|
137 | source: "net"
|
---|
138 | destination: "$FW"
|
---|
139 | protocol: "tcp"
|
---|
140 | destination_port: 22
|
---|
141 |
|
---|
142 | Dependencies
|
---|
143 | ------------
|
---|
144 |
|
---|
145 | All systems:
|
---|
146 | - iptables
|
---|
147 |
|
---|
148 | Red Hat based distributions:
|
---|
149 | - EPEL
|
---|
150 |
|
---|
151 | License
|
---|
152 | -------
|
---|
153 |
|
---|
154 | BSD
|
---|
155 |
|
---|
156 | Author Information
|
---|
157 | ------------------
|
---|
158 |
|
---|
159 | Philippe Dellaert
|
---|
160 |
|
---|
161 |
|
---|
162 |
|
---|