From 994f475e118c7010d95daa38776e7d2e632d42d3 Mon Sep 17 00:00:00 2001 From: surtur Date: Wed, 2 Aug 2023 12:32:43 +0200 Subject: [PATCH] add firewalld role --- ansible/roles/firewalld/defaults/main.yml | 6 ++ ansible/roles/firewalld/handlers/main.yml | 17 +++++ ansible/roles/firewalld/tasks/main.yml | 29 +++++++ .../firewalld/templates/firewalld.conf.j2 | 75 +++++++++++++++++++ 4 files changed, 127 insertions(+) create mode 100644 ansible/roles/firewalld/defaults/main.yml create mode 100644 ansible/roles/firewalld/handlers/main.yml create mode 100644 ansible/roles/firewalld/tasks/main.yml create mode 100644 ansible/roles/firewalld/templates/firewalld.conf.j2 diff --git a/ansible/roles/firewalld/defaults/main.yml b/ansible/roles/firewalld/defaults/main.yml new file mode 100644 index 0000000..502afde --- /dev/null +++ b/ansible/roles/firewalld/defaults/main.yml @@ -0,0 +1,6 @@ +--- +firewalld_configure: "{{ undef(hint='You must set this variable to specify whether to enable and start firewalld') }}" +firewalld_default_zone: public +firewalld_log_denied: "off" +firewalld_firewall_backend: nftables +... diff --git a/ansible/roles/firewalld/handlers/main.yml b/ansible/roles/firewalld/handlers/main.yml new file mode 100644 index 0000000..c68e31b --- /dev/null +++ b/ansible/roles/firewalld/handlers/main.yml @@ -0,0 +1,17 @@ +--- +# NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service) +# https://github.com/systemd/systemd/issues/2830 +# https://bugzilla.opensuse.org/show_bug.cgi?id=1146856 +# - name: Restart firewalld +# service: name=firewalld state=restarted +- name: Stop firewalld + service: + name: firewalld + state: stopped + listen: Restart firewalld +- name: Start firewalld + service: + name: firewalld + state: started + listen: Restart firewalld +... diff --git a/ansible/roles/firewalld/tasks/main.yml b/ansible/roles/firewalld/tasks/main.yml new file mode 100644 index 0000000..67ee3ec --- /dev/null +++ b/ansible/roles/firewalld/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Install firewalld + ansible.builtin.package: + name: firewalld + state: present + +- name: Install firewalld config + ansible.builtin.template: + src: firewalld.conf.j2 + dest: /etc/firewalld/firewalld.conf + owner: root + group: root + mode: 0644 + notify: + - Restart firewalld + +- name: Start and enable firewalld + ansible.builtin.service: + name: firewalld + enabled: "{{ firewalld_configure }}" + state: "{{ firewalld_configure | ternary('started', 'stopped') }}" + +- name: Disable default dhcpv6-client rule + ansible.posix.firewalld: + service: dhcpv6-client + state: disabled + immediate: true + when: "firewalld_configure and firewalld_disable_dhcpv6_client" +... diff --git a/ansible/roles/firewalld/templates/firewalld.conf.j2 b/ansible/roles/firewalld/templates/firewalld.conf.j2 new file mode 100644 index 0000000..dfa8175 --- /dev/null +++ b/ansible/roles/firewalld/templates/firewalld.conf.j2 @@ -0,0 +1,75 @@ +# {{ ansible_managed }} +# firewalld config file + +# default zone +# The default zone used if an empty zone string is used. +# Default: public +DefaultZone={{ firewalld_default_zone }} + +# Clean up on exit +# If set to no or false the firewall configuration will not get cleaned up +# on exit or stop of firewalld. +# Default: yes +CleanupOnExit=yes + +# Clean up kernel modules on exit +# If set to yes or true the firewall related kernel modules will be +# unloaded on exit or stop of firewalld. This might attempt to unload +# modules not originally loaded by firewalld. +# Default: no +CleanupModulesOnExit=no + +# Lockdown +# If set to enabled, firewall changes with the D-Bus interface will be limited +# to applications that are listed in the lockdown whitelist. +# The lockdown whitelist file is lockdown-whitelist.xml +# Default: no +Lockdown=no + +# IPv6_rpfilter +# Performs a reverse path filter test on a packet for IPv6. If a reply to the +# packet would be sent via the same interface that the packet arrived on, the +# packet will match and be accepted, otherwise dropped. +# The rp_filter for IPv4 is controlled using sysctl. +# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5) +# for details. +# Default: yes +IPv6_rpfilter=yes + +# IndividualCalls +# Do not use combined -restore calls, but individual calls. This increases the +# time that is needed to apply changes and to start the daemon, but is good for +# debugging. +# Default: no +IndividualCalls=no + +# LogDenied +# Add logging rules right before reject and drop rules in the INPUT, FORWARD +# and OUTPUT chains for the default rules and also final reject and drop rules +# in zones. Possible values are: all, unicast, broadcast, multicast and off. +# Default: off +LogDenied={{ firewalld_log_denied }} + +# FirewallBackend +# Selects the firewall backend implementation. +# Choices are: +# - nftables (default) +# - iptables (iptables, ip6tables, ebtables and ipset) +# Note: The iptables backend is deprecated. It will be removed in a future +# release. +FirewallBackend={{ firewalld_firewall_backend }} + +# FlushAllOnReload +# Flush all runtime rules on a reload. In previous releases some runtime +# configuration was retained during a reload, namely; interface to zone +# assignment, and direct rules. This was confusing to users. To get the old +# behavior set this to "no". +# Default: yes +FlushAllOnReload=yes + +# RFC3964_IPv4 +# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that +# correspond to IPv4 addresses that should not be routed over the public +# internet. +# Defaults to "yes". +RFC3964_IPv4=yes