xoxys.firewalld/README.md

xoxys.firewalld

Setup and configure host firewall with firewalld.

Table of content

• Requirements
• Default Variables
  • firewalld_allow_zone_drifting
  • firewalld_default_zone
  • firewalld_enabled
  • firewalld_ipsets
  • firewalld_ipsets_extra
  • firewalld_services
  • firewalld_services_extra
  • firewalld_zones
  • firewalld_zones_extra
  • firewalld_zones_unmanaged
• Dependencies
• License
• Author

---

Requirements

• Minimum Ansible version: 2.10

Default Variables

firewalld_allow_zone_drifting

Default value

firewalld_allow_zone_drifting: false

firewalld_default_zone

Default value

firewalld_default_zone: public

firewalld_enabled

Default value

firewalld_enabled: true

firewalld_ipsets

A firewalld ipset configuration provides the information of an ip set for firewalld.

Default value

firewalld_ipsets: []

Example usage

firewalld_ipsets:
    - name: appserver
      type: "hash:net"
      short: "App Servers"
      description: "Allow http access from all appservers"
      option: {}
      entry:
        - 192.168.2.1
        - 192.168.2.2

firewalld_ipsets_extra

Default value

firewalld_ipsets_extra: []

firewalld_services

A firewalld service can be a list of local ports and destinations and additionally also a list of firewall helper modules automatically loaded if a service is enabled.

Default value

firewalld_services: []

Example usage

 - name: ""
   short: ""
   description: ""
   port: []
   protocol: []
   source_port: []
   module: []
   destination: {}

firewalld_services_extra

Default value

firewalld_services_extra: []

firewalld_zones

Default value

firewalld_zones:
  - name: public
    short: Public
    description: >-
      For use in public areas. You do not trust the other computers on networks
      to not harm your computer. Only selected incoming connections are accepted.      
    service:
      - name: ssh
      - name: dhcpv6-client
      - name: cockpit

Example usage

firewalld_zones:
  - name: ""
    short: ""
    description: ""
    target: ""
    interface:
      - name: ""
    source:
      - address: ""
      - mac: ""
      - ipset: ""
    service:
      - name: ""
    port:
      - { port: "", protocol: "" }
    protocol:
      - value:
    icmp-block:
      - name:
    icmp-block-inversion: true
    masquerade: true
    forward: true
    forward-port:
      - { port: "", protocol: "" }
    source-port:
      - { port: "", protocol: "" }
    rule:
      - source: { address: "", mac: "", ipset: ""}
        destination: { address: "", mac: "", ipset: ""}
        service: {name: ""}
        port: {port: "", protocol: ""}
        protocol: {value: ""}
        icmp-block:
          name: ""
        icmp-type:
          name: ""
        masquerade: true
        forward-port:
          port: ""
          protocol: ""
          to-port: ""
          to-addr: ""
        source-port:
          port: ""
          protocol: ""
        log:
          prefix: ""
          level: ""
          limit: ""
        audit:
          limit: ""
        accept:
          limit: ""
        reject:
          rejecttype: ""
          limit: ""
        drop:
          limit: ""
        mark:
          set:
          limit: ""
end

firewalld_zones_extra

Default value

firewalld_zones_extra: []

firewalld_zones_unmanaged

Default value

firewalld_zones_unmanaged: []

Dependencies

None.

License

MIT

Author

Robert Kaussow