An ansible role to setup and configure a Shorewall in a simple environment under Debian/CentOS based distro's
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
defaults
handlers
meta
tasks
templates
vars
LICENSE.md
README.md

README.md

shorewall_simple

WARNING: This role can be dangerous to use. If you lose network connectivity to your target host by incorrectly configuring your firewall, you may be unable to recover without physical access to the machine.

This role installs and configures Shorewall for a simple, single network interface (can be a bond, of course) server.

Requirements

This role requires Ansible 1.4 or higher and platform requirements are listed in the metadata file.

Role Variables

The variables that can be passed to this role and a brief description about them are as follows. These are all based on the configuration variables of the Shorewall configuration.

shorewall_enabled: "Yes"
shorewall_startup: 1
shorewall_wait_interface: "eth0"
shorewall_options: ""
shorewall_startoptions: ""
shorewall_restartoptions: ""
shorewall_initlog: "/var/log/shorewall_init.log"
shorewall_safestop: 0

shorewall_zones:
- zone: "fw"
  type: "firewall"
- zone: "net"
  type: "ipv4"
  options="-"
  options_in="strict"
  options_out="-"

shorewall_interfaces: 
- interface: "eth0"
  zone: "net"
  broadcast: "detect"
  options: "dhcp,tcpflags,nosmurfs,logmartians"

shorewall_policies:
- source: "$FW"
  destination: "net"
  policy: "ACCEPT"
- source: "net"
  destination: "$FW"
  policy: "ACCEPT"
- source: "all"
  destination: "all"
  policy: "DROP"
  log_level: "info"
  burst_limit: "10/second:100"

shorewall_rules:
- section: "NEW"
  rules:
  - action: "ACCEPT"
    source: "net"
    destination: "$FW"
    protocol: "tcp"
    destination_port: 22
    source_port: "-"
    original_destination: "-"
    rate_limit: "-"
    user_group: "-"
    mark: "-"
    connection_limit: "-"
    time: "-"
    headers: "-"
    switch: "-"

Examples

  1. Example allowing all traffic in and out

    • hosts: all
      • roles:
        • role: shorewall_simple shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw" type: "firewall"
          • zone: "net" type: "ipv4" shorewall_interfaces:
          • interface: "eth0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies:
          • source: "all" destination: "all" policy: "ACCEPT"
  2. Example allowing all outgoing traffic but block incomming traffic and log it, but allow incomming SSH traffic and accept Ping

    • hosts: all
      • roles:
        • role: shorewall_simple shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw" type: "firewall"
          • zone: "net" type: "ipv4" shorewall_interfaces:
          • interface: "eth0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies:
          • source: "$FW" destination: "net" policy: "ACCEPT"
          • source: "net" destination: "$FW" policy: "DROP" log_level: "info"
          • source: "all" destination: "all" policy: "DROP" shorewall_rules:
          • section: "NEW" rules:
            • action: "Ping/ACCEPT" source: "net" destination: "$FW"
            • action: "ACCEPT" source: "net" destination: "$FW" protocol: "tcp" destination_port: 22

Dependencies

All systems:

  • iptables

Red Hat based distributions:

  • EPEL

License

BSD

Author Information

Philippe Dellaert