No Description

Edin Sarajlic 394a17333a README: remove references to removed task for copying/deploying custom rules to server (superseded by the recently added ferm_rules_custom method of adding rules) 1 month ago
defaults a34ed0e81a Remove task for deploying copying custom rules to server (superseded by the recently added ferm_rules_custom method of adding rules) 1 month ago
files 649527f6dc Refactor: rename files, replacing _ with - for better readability 1 month ago
handlers 08c76a2d2e Initial commit 5 years ago
tasks 7823f9fdf7 Refactor: rename task names for better readability 1 month ago
templates 2cdb7794a7 Rename variable: default_*_policy -> ferm_default_*_policy - gives variable more context, less likely to be confused 4 years ago
README 394a17333a README: remove references to removed task for copying/deploying custom rules to server (superseded by the recently added ferm_rules_custom method of adding rules) 1 month ago

README

An Ansible role for setting up ferm (a firewalling program).

This role can most likely be used on any Debian-derived distro.

Clone this git repo into your Ansible's role directory, e.g.:

git clone ansible-ferm.git roles/ferm

---

A simple firewall that should be good enough for most static server configurations.

The core firewall config (see: templates/ferm.conf.j2) defines three chains (INPUT, OUTPUT, FORWARD). NOTE: The FORWARD chain is currently non-functional.

The firewall's chains policy default to the following, and can be overriden by redefining the following Ansible variables:

ferm_default_input_policy: ACCEPT
ferm_default_output_policy: ACCEPT
ferm_default_forward_policy: DROP

Rules can be added to each chain, by adding items to the following list variables:

ferm_rules_inputs:
- src: allow_icmp
dest: allow_ping # note that I've renamed the file at the destination
ferm_rules_outputs:
- src: allow_http
dest: 01_allow_http
- src: allow_https
dest: 02_allow_https

A small set of core rules is provided in files/rules.d

Custom firewall rules can be added to ferm_rules_custom lists as follows:
ferm_rules_custom_inputs:
- rule: saddr 192.168.1.1/24 proto tcp dport ssh ACCEPT;
dest: allow-ssh-from-lan
- rule: saddr 192.168.1.1/24 proto tcp dport http ACCEPT;
dest: allow-http-from-lan
ferm_rules_custom_outputs:
- rule: daddr 192.168.1.1/24 proto tcp dport ssh REJECT;
dest: disallow-ssh-to-lan