An Ansible role for setting up ferm (a firewalling program).
This role can most likely be used on any Debian-derived distro.
Clone this git repo into your Ansible's role directory, e.g.:
git clone ansible-ferm.git roles/ferm
A simple firewall that should be good enough for most static server configurations.
The core firewall config (see: templates/ferm.conf.j2) defines three chains (INPUT, OUTPUT, FORWARD). NOTE: The FORWARD chain is currently non-functional.
The firewall's chains policy default to the following, and can be overriden by redefining the following Ansible variables:
Rules can be added to each chain, by adding items to the following list variables:
- src: allow_icmp
dest: allow_ping # note that I've renamed the file at the destination
- src: allow_http
- src: allow_https
A small set of core rules is provided in files/rules.d
Custom firewall rules can be added to ferm_rules_custom lists as follows:
- rule: saddr 192.168.1.1/24 proto tcp dport ssh ACCEPT;
- rule: saddr 192.168.1.1/24 proto tcp dport http ACCEPT;
- rule: daddr 192.168.1.1/24 proto tcp dport ssh REJECT;