No Description

Edin Sarajlic 270aba1fe1 README: specify that this role can probably be used on any Debian-derived distro. 4 days ago
defaults a34ed0e81a Remove task for deploying copying custom rules to server (superseded by the recently added ferm_rules_custom method of adding rules) 4 days ago
files 649527f6dc Refactor: rename files, replacing _ with - for better readability 4 days ago
handlers 08c76a2d2e Initial commit 5 years ago
tasks 7823f9fdf7 Refactor: rename task names for better readability 4 days ago
templates 2cdb7794a7 Rename variable: default_*_policy -> ferm_default_*_policy - gives variable more context, less likely to be confused 4 years ago
README 270aba1fe1 README: specify that this role can probably be used on any Debian-derived distro. 4 days ago

README

An Ansible role for setting up ferm (a firewalling program).

This role can most probably be used on any Debian-derived distro.

Clone this git repo into your Ansible's role directory, e.g.:

git clone ansible-ferm.git roles/ferm

---

A simple firewall that should be good enough for most static server
configurations.

The core firewall config (see: templates/ferm.conf.j2) defines three
chains (INPUT, OUTPUT, FORWARD). NOTE: The FORWARD chain is currently
non-functional.

The firewall's chains policy default to the following, and can be overriden
by redefining the following Ansible variables:

ferm_default_input_policy: ACCEPT
ferm_default_output_policy: ACCEPT
ferm_default_forward_policy: DROP

Rules can be added to each chain, by adding items to the following list
variables:

ferm_rules_inputs:
- src: allow_icmp
dest: allow_ping # note that I've renamed the file at the destination
ferm_rules_outputs:
- src: allow_http
dest: 01_allow_http
- src: allow_https
dest: 02_allow_https

A small set of core rules is provided in files/rules.d

Custom firewall rules can be added to ferm_rules_custom lists as follows:
ferm_rules_custom_inputs:
- rule: saddr 192.168.1.1/24 proto tcp dport ssh ACCEPT;
dest: allow-ssh-from-lan
- rule: saddr 192.168.1.1/24 proto tcp dport http ACCEPT;
dest: allow-http-from-lan
ferm_rules_custom_outputs:
- rule: daddr 192.168.1.1/24 proto tcp dport ssh REJECT;
dest: disallow-ssh-to-lan

---

The provided task "deploy_custom_config.yml" copies files from the
source (Ansible server) to the destination (ferm/firewall server)

This allows you to centrally manage (and easily version control) files
that may be unique per-host, such as individual firewall rules.

Once ANY file(s) have been copied across, the ferm server is restarted.

Variables to define:

Source, as defined by the variable:
ferm_custom_config_src
e.g. "{{ inventory_hostname }}/etc/ferm/"

Destination, as defined by the variable:
ferm_custom_config_dst
defaults to /etc/ferm/