Ansible role which installs and configures Shorewall and Shorewall6.
ansible-galaxy install arillso.shorewallAnsible version 2.0 or better.
| Name | Description |
|---|---|
enable shorewall, enable shorewall6 |
Enables and starts Shorewall / Shorewall 6 |
restart shorewall, restart shorewall6 |
Restarts Shorewall / Shorewall6 |
Note: The Shorewall (IPv4) variables are prefixed by shorewall_, whereas the Shorewall6 (IPv6) variables are prefixed by shorewall6_.
| Variable | Dictionary / Options |
|---|---|
| shorewall_package_state | "present", "latest", "absent". |
| shorewall_startup | "1" or "0" |
| shorewall_conf | this variable uses standard option / value pairs |
| shorewall_interfaces | zone, interface, options |
| shorewall_zones | zone, type, options, options_in, options_out |
| shorewall_policies | source, dest, policy, log_level, burst_limit, conn_limit |
| shorewall_rules | sections: section, rules: rule. For each rule: action, source, dest, proto, dest_port, source_port, original_dest, rate_limit, user_group, mark, connlimit, time, headers, switch, helper, when |
| shorewall_masq | interface, source, address, proto, ports, ipsec, mark, user, switch, original_dest |
| shorewall_tunnels | type, zone, gateway, gateway_zone |
| shorewall_hosts | zone, hosts, options |
| shorewall_params | name, value |
See the Ansible package module information for more details.
It allows you to control whether Shorewall and dependencies should be either installed ("present"), installed / upgraded to their most recent version ("latest") or should be removed ("absent").
This updates the /etc/default/shorewall file's startup option to either enable ("1") startup (using the service or systemctl commands) or disable it ("0").
Specify values for global Shorewall options in the /etc/shorewall/shorewall.conf file. See the Shorewall shorewall.conf man page for more details.
Each shorewall.conf option may be written in lower-case, such as ACCEPT_DEFAULT=none can be written as accept_default: "none" in the variables.
shorewall_conf:
verbosity: "1"
log_verbosity: "2"
logfile: "/var/log/messages"
blacklist: "\"NEW,INVALID,UNTRACKED\""
blacklist_disposition: "DROP"Define the interfaces on the system and optionally associate them with zones in the /etc/shorewall/interfaces file. See the Shorewall interfaces man page for more details.
shorewall_interfaces:
- { zone: net, interface: eth0, options: "dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0" }Declare Shorewall zones in the /etc/shorewall/zones file. See the Shorewall zones man page for more details.
shorewall_zones:
- { zone: fw, type: firewall }
- { zone: net, type: ipv4 }Define high-level policies for connections between zones in the /etc/shorewall/policies. See the Shorewall policy man page for more details.
shorewall_policies:
- { source: "$FW", dest: all, policy: ACCEPT }
- { source: net, dest: all, policy: REJECT }
- { source: all, dest: all, policy: REJECT, log_level: info }Specify exceptions to policies, including DNAT and REDIRECT in the /etc/shorewall/rules file. See the Shorewall rules man page for more details.
WARNING: Please be sure to include a rule for SSH on the correct port, to avoid locking Ansible - and yourself - out from the remote host.
An option specific to this role variable. and not part of Shorewall, is the when conditional. This allows a rule to be included only if the condition evaluates to True.
shorewall_rules:
- section: NEW
rules:
- { action: "Invalid(DROP)", source: net, dest: "$FW", proto: tcp }
- { action: ACCEPT, source: net, dest: "$FW", proto: tcp, dest_port: ssh }
- { action: ACCEPT, source: net, dest: "$FW", proto: icmp, dest_port: echo-request }Using the when conditional:
has_webserver: True
# And in a task:
#- name: Disable webserver rule
# set_fact:
# has_webserver: False
shorewall_rules:
- section: NEW
rules:
- { action: "Invalid(DROP)", source: net, dest: "$FW", proto: tcp }
- { action: ACCEPT, source: net, dest: "$FW", proto: tcp, dest_port: ssh }
- { action: "HTTP(ACCEPT)", source: net, dest: "$FW", when: "{{ has_webserver }}" }
Define Masquerade/SNAT in the /etc/shorewall/masq file. See the Shorewall masq man page for more details.
Define VPN connections with endpoints on the firewall in the /etc/shorewall/tunnels file. See the Shorewall tunnels man page for more details.
shorewall_tunnels:
- { type: ipsec, zone: net, gateway: "0.0.0.0/0", gateway_zones: "vpn1,vpn2" }Define multiple zones accessed through a single interface in the /etc/shorewall/hosts file. See the Shorewall hosts man page for more details.
Assign any shell variables that you need in the /etc/shorewall/params file. See the Shorewall params man page for more details.
- hosts: all
roles:
- arillso.shorewall- Sort shorewall.conf items to ensure idempotence between runs (thank S. Veyrié)
- rename role name
- add support for docker
- add tags support
- Added: The
shorewall_ruleshas an added optionwhenfor each rule, which acts similar to Ansible'swhenstatement and allows rules to be conditional. - Added: role variable
shorewall_tunnelsfor use with VPNs. - Changed: The generated
shorewall_ruleswill now take into account the?prefix in sections (i.e.?ESTABLISHED), which was introduced at Shorewall version 4.6. If the Shorewall version installed is older than 4.6, this prefix will be omitted to avoid errors.
- Added:
ipsetas a package dependency; - Added: role variable
shorewall_conf, allowing each option in the shorewall.conf file to be defined; - Added: role variable
shorewall_package_stateto set package state of Shorewall and dependencies; - Changed: The default for
shorewall_interfacenow detects the default network interface rather than fixed ateth0(thougheth0is still a fall-back default); - Removed: role variables:
shorewall_verbosity,shorewall_log_verbosity. Use theshorewall_confrole variable to configure these instead.
- Simon Bärlocher
- S. Veyrié
- Michael Green
- Farhad Shahbazi
- Sascha Biberhofer
This project is under the MIT License. See the LICENSE file for the full license text.
- Copyright (c) 2017 Simon Bärlocher