add firewalld role
This commit is contained in:
parent
e7ac3d67c2
commit
994f475e11
SSH Key Fingerprint:
SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
6
ansible/roles/firewalld/defaults/main.yml
Normal file
6
ansible/roles/firewalld/defaults/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
firewalld_configure: "{{ undef(hint='You must set this variable to specify whether to enable and start firewalld') }}"
|
||||||
|
firewalld_default_zone: public
|
||||||
|
firewalld_log_denied: "off"
|
||||||
|
firewalld_firewall_backend: nftables
|
||||||
|
...
|
||||||
17
ansible/roles/firewalld/handlers/main.yml
Normal file
17
ansible/roles/firewalld/handlers/main.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
# NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service)
|
||||||
|
# https://github.com/systemd/systemd/issues/2830
|
||||||
|
# https://bugzilla.opensuse.org/show_bug.cgi?id=1146856
|
||||||
|
# - name: Restart firewalld
|
||||||
|
# service: name=firewalld state=restarted
|
||||||
|
- name: Stop firewalld
|
||||||
|
service:
|
||||||
|
name: firewalld
|
||||||
|
state: stopped
|
||||||
|
listen: Restart firewalld
|
||||||
|
- name: Start firewalld
|
||||||
|
service:
|
||||||
|
name: firewalld
|
||||||
|
state: started
|
||||||
|
listen: Restart firewalld
|
||||||
|
...
|
||||||
29
ansible/roles/firewalld/tasks/main.yml
Normal file
29
ansible/roles/firewalld/tasks/main.yml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
- name: Install firewalld
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: firewalld
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Install firewalld config
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: firewalld.conf.j2
|
||||||
|
dest: /etc/firewalld/firewalld.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify:
|
||||||
|
- Restart firewalld
|
||||||
|
|
||||||
|
- name: Start and enable firewalld
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: firewalld
|
||||||
|
enabled: "{{ firewalld_configure }}"
|
||||||
|
state: "{{ firewalld_configure | ternary('started', 'stopped') }}"
|
||||||
|
|
||||||
|
- name: Disable default dhcpv6-client rule
|
||||||
|
ansible.posix.firewalld:
|
||||||
|
service: dhcpv6-client
|
||||||
|
state: disabled
|
||||||
|
immediate: true
|
||||||
|
when: "firewalld_configure and firewalld_disable_dhcpv6_client"
|
||||||
|
...
|
||||||
75
ansible/roles/firewalld/templates/firewalld.conf.j2
Normal file
75
ansible/roles/firewalld/templates/firewalld.conf.j2
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
# firewalld config file
|
||||||
|
|
||||||
|
# default zone
|
||||||
|
# The default zone used if an empty zone string is used.
|
||||||
|
# Default: public
|
||||||
|
DefaultZone={{ firewalld_default_zone }}
|
||||||
|
|
||||||
|
# Clean up on exit
|
||||||
|
# If set to no or false the firewall configuration will not get cleaned up
|
||||||
|
# on exit or stop of firewalld.
|
||||||
|
# Default: yes
|
||||||
|
CleanupOnExit=yes
|
||||||
|
|
||||||
|
# Clean up kernel modules on exit
|
||||||
|
# If set to yes or true the firewall related kernel modules will be
|
||||||
|
# unloaded on exit or stop of firewalld. This might attempt to unload
|
||||||
|
# modules not originally loaded by firewalld.
|
||||||
|
# Default: no
|
||||||
|
CleanupModulesOnExit=no
|
||||||
|
|
||||||
|
# Lockdown
|
||||||
|
# If set to enabled, firewall changes with the D-Bus interface will be limited
|
||||||
|
# to applications that are listed in the lockdown whitelist.
|
||||||
|
# The lockdown whitelist file is lockdown-whitelist.xml
|
||||||
|
# Default: no
|
||||||
|
Lockdown=no
|
||||||
|
|
||||||
|
# IPv6_rpfilter
|
||||||
|
# Performs a reverse path filter test on a packet for IPv6. If a reply to the
|
||||||
|
# packet would be sent via the same interface that the packet arrived on, the
|
||||||
|
# packet will match and be accepted, otherwise dropped.
|
||||||
|
# The rp_filter for IPv4 is controlled using sysctl.
|
||||||
|
# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
|
||||||
|
# for details.
|
||||||
|
# Default: yes
|
||||||
|
IPv6_rpfilter=yes
|
||||||
|
|
||||||
|
# IndividualCalls
|
||||||
|
# Do not use combined -restore calls, but individual calls. This increases the
|
||||||
|
# time that is needed to apply changes and to start the daemon, but is good for
|
||||||
|
# debugging.
|
||||||
|
# Default: no
|
||||||
|
IndividualCalls=no
|
||||||
|
|
||||||
|
# LogDenied
|
||||||
|
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
|
||||||
|
# and OUTPUT chains for the default rules and also final reject and drop rules
|
||||||
|
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
|
||||||
|
# Default: off
|
||||||
|
LogDenied={{ firewalld_log_denied }}
|
||||||
|
|
||||||
|
# FirewallBackend
|
||||||
|
# Selects the firewall backend implementation.
|
||||||
|
# Choices are:
|
||||||
|
# - nftables (default)
|
||||||
|
# - iptables (iptables, ip6tables, ebtables and ipset)
|
||||||
|
# Note: The iptables backend is deprecated. It will be removed in a future
|
||||||
|
# release.
|
||||||
|
FirewallBackend={{ firewalld_firewall_backend }}
|
||||||
|
|
||||||
|
# FlushAllOnReload
|
||||||
|
# Flush all runtime rules on a reload. In previous releases some runtime
|
||||||
|
# configuration was retained during a reload, namely; interface to zone
|
||||||
|
# assignment, and direct rules. This was confusing to users. To get the old
|
||||||
|
# behavior set this to "no".
|
||||||
|
# Default: yes
|
||||||
|
FlushAllOnReload=yes
|
||||||
|
|
||||||
|
# RFC3964_IPv4
|
||||||
|
# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
|
||||||
|
# correspond to IPv4 addresses that should not be routed over the public
|
||||||
|
# internet.
|
||||||
|
# Defaults to "yes".
|
||||||
|
RFC3964_IPv4=yes
|
||||||
Loading…
Reference in New Issue
Block a user