Giters

lcaflc / role-ferm-firewall

Ansible role to configure the firewall Ferm

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Ferm-Firewall

Manage and configure the ferm firewall. Send separate configuration file per groups. You may need to change ansible hash from replace to merge .

Requirements

  • ferm package

Configuration files and variables structure

  • roles/ansible-role-ferm-firewall/defaults/main.yml
  • this is used in case there is no ferm_rules defined any where else

Example configuration:

  • group_vars/all/all
  • this can have a ferm_rules defined - used on all hosts
  • group_vars/group/group.yml
  • this can have a ferm_rules_extra defined - used in addition to the ferm_rules

Role Variables

To configure ferm, you need to provide a key to associate a set of rules to a role/software. This way, rules splited in multiple var-files won't overwrite each other. By default, if domains isn't defined, it will apply rules to ip6 and ip domains. Configuration exemple:

---
# Your default ferm rules for all hosts
ferm_rules:
# Create a file in /etc/ferm/ferm.d/default.conf
  default:
    - chain: INPUT
      rules:
        - {rule: "policy DROP;",  comment: "global policy"}
        - {rule: "mod state state INVALID DROP;", comment: "connection tracking: drop"}
        - {rule: "mod state state (ESTABLISHED RELATED) ACCEPT;", comment: "connection tracking"}
        - {rule: "interface lo ACCEPT;", comment: "allow local packet"}
        - {rule: "proto icmp ACCEPT;", comment: "respond to ping"}
        - {rule: "proto tcp dport ssh ACCEPT;", comment: "allow SSH connections"}
    # Different set of rules on ip / ip6
    - chain: OUTPUT
      domains:
        - ip
      rules:
        - rule: "policy ACCEPT;"
          comment: global policy
    - chain: OUTPUT
      domains:
        - ip6
      rules:
        - rule: "policy DROP;"
          comment: global policy ip6

    - chain: FORWARD
      domains: [ip, ip6]
      rules:
        - rule: "policy DROP;"
          comment: global policy
        - rule: "mod state state INVALID DROP;"
          comment: "connection tracking: drop"
        - rule: "mod state state (ESTABLISHED RELATED) ACCEPT;"
          comment: "connection tracking"

Dependencies

  • None

Example Playbook

Ferm rules are hash instead of array. The main reason is to be able to merge hashes when configure same host with different roles.

Inventory:

[mongodb]
MachineA
[rabbitmq]
MachineA

Playbook:

---
- hosts: mongodb
  vars:
    - ferm_rules:
        mongodb:
          - chain: INPUT
            rules:
              - {rule: "proto tcp dport (27017) ACCEPT;", comment: "MongoDB mongo shard/repl servers"}
              - {rule: "proto tcp dport (27701 27702 27703) ACCEPT;", comment: "MongoDB mongo configurati\
on servers" }
              - {rule: "proto tcp dport (27801) ACCEPT;", comment: "MongoDB mongo router server (mongos)"\
}
  roles:
    - ferm-firewall

- hosts: kvm
  vars:
    - ferm_rules:
        rabbitmq_nat:
	  - table: nat
	    chain: PREROUTING
	    rules:
	      - rule: "proto tcp dport 5672 DNAT to 192.168.0.2:5672"
	        comment: "nat rabbitmq to host"
	  - table: nat
	    chain: OUTPUT
            rules:
              - rule: "outerface lo proto tcp dport 5672 DNAT to 192.168.0.2:5672;"


- hosts: rabbitmq
  vars:
    - ferm_rules:
        rabbitmq:
          - chain: INPUT
            domains: [ip]
            rules:
              - rule: "proto tcp dport (5672) ACCEPT;"
                comment: "Rabbitmq-server"
  roles:
    - ferm-firewall

Result:

  • /etc/ferm/ferm.d/mongodb.conf
domain (ip ip6) table filter {
  chain INPUT {
     # MongoDB mongo shard/repl servers
     proto tcp dport (27017) ACCEPT;

     # MongoDB mongo configuration servers
     proto tcp dport (27701 27702 27703) ACCEPT;

     # MongoDB mongo router server (mongos)
     proto tcp dport (27801) ACCEPT;

    }
}
  • /etc/ferm/ferm.d/rabbitmq.conf
domain (ip ) table filter {
  chain INPUT {
     # Rabbitmq-server
     proto tcp dport (5672) ACCEPT;

    }
}
  • /etc/ferm/ferm.d/rabbitmq_nat.conf
 table nat {
  chain PREROUTING {
   # nat rabbitmq to host
   proto tcp dport 5672 DNAT to 192.168.0.2:5672;

  }
}

 table nat {
  chain OUTPUT {
   # outerface rabbitmq
   outerface lo proto tcp dport 5672 DNAT to 192.168.0.2:5672;

  }
}

License

MIT

About

Ansible role to configure the firewall Ferm