xoxys.firewalld/README.md

# xoxys.firewalld

[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.firewalld/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.firewalld)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.firewalld/src/branch/main/LICENSE)

Setup and configure host firewall with firewalld.

## Table of content

- [Requirements](#requirements)
- [Default Variables](#default-variables)
  - [firewalld_allow_zone_drifting](#firewalld_allow_zone_drifting)
  - [firewalld_default_zone](#firewalld_default_zone)
  - [firewalld_enabled](#firewalld_enabled)
  - [firewalld_ipsets](#firewalld_ipsets)
  - [firewalld_ipsets_extra](#firewalld_ipsets_extra)
  - [firewalld_services](#firewalld_services)
  - [firewalld_services_extra](#firewalld_services_extra)
  - [firewalld_zones](#firewalld_zones)
  - [firewalld_zones_extra](#firewalld_zones_extra)
  - [firewalld_zones_unmanaged](#firewalld_zones_unmanaged)
- [Dependencies](#dependencies)
- [License](#license)
- [Author](#author)

---

## Requirements

- Minimum Ansible version: `2.10`

## Default Variables

### firewalld_allow_zone_drifting

#### Default value

```YAML
firewalld_allow_zone_drifting: false
```

### firewalld_default_zone

#### Default value

```YAML
firewalld_default_zone: public
```

### firewalld_enabled

#### Default value

```YAML
firewalld_enabled: true
```

### firewalld_ipsets

A firewalld ipset configuration provides the information of an ip set for firewalld.

#### Default value

```YAML
firewalld_ipsets: []
```

#### Example usage

```YAML
firewalld_ipsets:
    - name: appserver
      type: "hash:net"
      short: "App Servers"
      description: "Allow http access from all appservers"
      option: {}
      entry:
        - 192.168.2.1
        - 192.168.2.2
```

### firewalld_ipsets_extra

#### Default value

```YAML
firewalld_ipsets_extra: []
```

### firewalld_services

A firewalld service can be a list of local ports and destinations and additionally also a list of firewall helper modules
automatically loaded if a service is enabled.

#### Default value

```YAML
firewalld_services: []
```

#### Example usage

```YAML
 - name: ""
   short: ""
   description: ""
   port: []
   protocol: []
   source_port: []
   module: []
   destination: {}
```

### firewalld_services_extra

#### Default value

```YAML
firewalld_services_extra: []
```

### firewalld_zones

#### Default value

```YAML
firewalld_zones:
  - name: public
    short: Public
    description: >-
      For use in public areas. You do not trust the other computers on networks
      to not harm your computer. Only selected incoming connections are accepted.
    service:
      - name: ssh
      - name: dhcpv6-client
      - name: cockpit
```

#### Example usage

```YAML
firewalld_zones:
  - name: ""
    short: ""
    description: ""
    target: ""
    interface:
      - name: ""
    source:
      - address: ""
      - mac: ""
      - ipset: ""
    service:
      - name: ""
    port:
      - { port: "", protocol: "" }
    protocol:
      - value:
    icmp-block:
      - name:
    icmp-block-inversion: true
    masquerade: true
    forward: true
    forward-port:
      - { port: "", protocol: "" }
    source-port:
      - { port: "", protocol: "" }
    rule:
      - source: { address: "", mac: "", ipset: ""}
        destination: { address: "", mac: "", ipset: ""}
        service: {name: ""}
        port: {port: "", protocol: ""}
        protocol: {value: ""}
        icmp-block:
          name: ""
        icmp-type:
          name: ""
        masquerade: true
        forward-port:
          port: ""
          protocol: ""
          to-port: ""
          to-addr: ""
        source-port:
          port: ""
          protocol: ""
        log:
          prefix: ""
          level: ""
          limit: ""
        audit:
          limit: ""
        accept:
          limit: ""
        reject:
          rejecttype: ""
          limit: ""
        drop:
          limit: ""
        mark:
          set:
          limit: ""
end
```

### firewalld_zones_extra

#### Default value

```YAML
firewalld_zones_extra: []
```

### firewalld_zones_unmanaged

#### Default value

```YAML
firewalld_zones_unmanaged: []
```

## Dependencies

None.

## License

MIT

## Author

[Robert Kaussow](https://gitea.rknet.org/xoxys)
initial commit 2022-06-13 18:47:12 +00:00			`# xoxys.firewalld`
[skip ci] automated docs update 2024-02-18 11:56:47 +00:00
			`[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.firewalld/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.firewalld)`
			`[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.firewalld/src/branch/main/LICENSE)`

			`Setup and configure host firewall with firewalld.`

			`## Table of content`

			`- [Requirements](#requirements)`
			`- [Default Variables](#default-variables)`
			`- [firewalld_allow_zone_drifting](#firewalld_allow_zone_drifting)`
			`- [firewalld_default_zone](#firewalld_default_zone)`
			`- [firewalld_enabled](#firewalld_enabled)`
			`- [firewalld_ipsets](#firewalld_ipsets)`
			`- [firewalld_ipsets_extra](#firewalld_ipsets_extra)`
			`- [firewalld_services](#firewalld_services)`
			`- [firewalld_services_extra](#firewalld_services_extra)`
			`- [firewalld_zones](#firewalld_zones)`
			`- [firewalld_zones_extra](#firewalld_zones_extra)`
			`- [firewalld_zones_unmanaged](#firewalld_zones_unmanaged)`
			`- [Dependencies](#dependencies)`
			`- [License](#license)`
			`- [Author](#author)`

			`---`

			`## Requirements`

			- Minimum Ansible version: `2.10`

			`## Default Variables`

			`### firewalld_allow_zone_drifting`

			`#### Default value`

			```YAML
			`firewalld_allow_zone_drifting: false`
			```

			`### firewalld_default_zone`

			`#### Default value`

			```YAML
			`firewalld_default_zone: public`
			```

			`### firewalld_enabled`

			`#### Default value`

			```YAML
			`firewalld_enabled: true`
			```

			`### firewalld_ipsets`

			`A firewalld ipset configuration provides the information of an ip set for firewalld.`

			`#### Default value`

			```YAML
			`firewalld_ipsets: []`
			```

			`#### Example usage`

			```YAML
			`firewalld_ipsets:`
			`- name: appserver`
			`type: "hash:net"`
			`short: "App Servers"`
			`description: "Allow http access from all appservers"`
			`option: {}`
			`entry:`
			`- 192.168.2.1`
			`- 192.168.2.2`
			```

			`### firewalld_ipsets_extra`

			`#### Default value`

			```YAML
			`firewalld_ipsets_extra: []`
			```

			`### firewalld_services`

			`A firewalld service can be a list of local ports and destinations and additionally also a list of firewall helper modules`
			`automatically loaded if a service is enabled.`

			`#### Default value`

			```YAML
			`firewalld_services: []`
			```

			`#### Example usage`

			```YAML
			`- name: ""`
			`short: ""`
			`description: ""`
			`port: []`
			`protocol: []`
			`source_port: []`
			`module: []`
			`destination: {}`
			```

			`### firewalld_services_extra`

			`#### Default value`

			```YAML
			`firewalld_services_extra: []`
			```

			`### firewalld_zones`

			`#### Default value`

			```YAML
			`firewalld_zones:`
			`- name: public`
			`short: Public`
			`description: >-`
			`For use in public areas. You do not trust the other computers on networks`
			`to not harm your computer. Only selected incoming connections are accepted.`
			`service:`
			`- name: ssh`
			`- name: dhcpv6-client`
			`- name: cockpit`
			```

			`#### Example usage`

			```YAML
			`firewalld_zones:`
			`- name: ""`
			`short: ""`
			`description: ""`
			`target: ""`
			`interface:`
			`- name: ""`
			`source:`
			`- address: ""`
			`- mac: ""`
			`- ipset: ""`
			`service:`
			`- name: ""`
			`port:`
			`- { port: "", protocol: "" }`
			`protocol:`
			`- value:`
			`icmp-block:`
			`- name:`
			`icmp-block-inversion: true`
			`masquerade: true`
			`forward: true`
			`forward-port:`
			`- { port: "", protocol: "" }`
			`source-port:`
			`- { port: "", protocol: "" }`
			`rule:`
			`- source: { address: "", mac: "", ipset: ""}`
			`destination: { address: "", mac: "", ipset: ""}`
			`service: {name: ""}`
			`port: {port: "", protocol: ""}`
			`protocol: {value: ""}`
			`icmp-block:`
			`name: ""`
			`icmp-type:`
			`name: ""`
			`masquerade: true`
			`forward-port:`
			`port: ""`
			`protocol: ""`
			`to-port: ""`
			`to-addr: ""`
			`source-port:`
			`port: ""`
			`protocol: ""`
			`log:`
			`prefix: ""`
			`level: ""`
			`limit: ""`
			`audit:`
			`limit: ""`
			`accept:`
			`limit: ""`
			`reject:`
			`rejecttype: ""`
			`limit: ""`
			`drop:`
			`limit: ""`
			`mark:`
			`set:`
			`limit: ""`
			`end`
			```

			`### firewalld_zones_extra`

			`#### Default value`

			```YAML
			`firewalld_zones_extra: []`
			```

			`### firewalld_zones_unmanaged`

			`#### Default value`

			```YAML
			`firewalld_zones_unmanaged: []`
			```

			`## Dependencies`

			`None.`

			`## License`

			`MIT`

			`## Author`

			`[Robert Kaussow](https://gitea.rknet.org/xoxys)`