commit e1bcd8bac17d8f9ed510461b21040fb66e0f7bd4 Author: Simon Weald Date: Tue Aug 21 10:11:31 2018 +0100 initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..e70246c --- /dev/null +++ b/README.md @@ -0,0 +1,78 @@ +## shorewall + + + + + +Describe your role in a few paragraphs.... + + + +### Role variables + +List of default variables available in the inventory: + +```YAML +--- +shorewall_config_opts: + startup_enabled: 'Yes' + verbosity: '1' # [0=Silent|1=Major|2=All] + log_level: 'info' + log_martians: 'Yes' + log_verbosity: '2' # [-1=disabled|0=Silent|1=Major|2=All] + logfile: '/var/log/messages.log' + logformat: 'Shorewall:%s:%s:' + loglimit: 's:1/sec:10' + startup_log: '/var/log/shorewall-init.log' + docker: 'No' # shorewall5 only + ip_forwarding: 'On' # [On|Off|Keep] + +# default policies go here (if you wish to define them in the role) +shorewall_interfaces_default: [] +shorewall_policies_default: [] +shorewall_rules_default: [] +shorewall_zones_default: [] + +## define possible overrides so we're not left with empty lists +# define in group_vars/all +shorewall_zones_all: [] +shorewall_policies_all: [] +shorewall_interfaces_all: [] +shorewall_rules_all: [] + +# define in group_vars/groupname +shorewall_zones_group: [] +shorewall_policies_group: [] +shorewall_interfaces_group: [] +shorewall_rules_group: [] + +# define in host_vars/hostname +shorewall_zones_host: [] +shorewall_policies_host: [] +shorewall_interfaces_host: [] +shorewall_rules_host: [] +``` + +List of internal variables used by the role: + + shorewall_rules + shorewall_interfaces + shorewall_zones + shorewall_policies +### Detailed usage guide + +Describe how to use in more detail... + + +### Authors and license + +`shorewall` role was written by: + +- [Simon Weald](https://www.simonweald.com) | [e-mail](mailto:simon@simonweald.com) | [Twitter](https://twitter.com/analbeard) + +License: [MIT](https://tldrlegal.com/license/mit-license) + +*** + +README generated by [Ansigenome](https://github.com/nickjj/ansigenome/). diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..7583237 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,39 @@ +--- +shorewall_config_opts: + startup_enabled: 'Yes' + verbosity: '1' # [0=Silent|1=Major|2=All] + log_level: 'info' + log_martians: 'Yes' + log_verbosity: '2' # [-1=disabled|0=Silent|1=Major|2=All] + logfile: '/var/log/messages.log' + logformat: 'Shorewall:%s:%s:' + loglimit: 's:1/sec:10' + startup_log: '/var/log/shorewall-init.log' + docker: 'No' # shorewall5 only + ip_forwarding: 'On' # [On|Off|Keep] + +# default policies go here (if you wish to define them in the role) +shorewall_interfaces_default: [] +shorewall_policies_default: [] +shorewall_rules_default: [] +shorewall_zones_default: [] + +## define possible overrides so we're not left with empty lists +# define in group_vars/all +shorewall_zones_all: [] +shorewall_policies_all: [] +shorewall_interfaces_all: [] +shorewall_rules_all: [] + +# define in group_vars/groupname +shorewall_zones_group: [] +shorewall_policies_group: [] +shorewall_interfaces_group: [] +shorewall_rules_group: [] + +# define in host_vars/hostname +shorewall_zones_host: [] +shorewall_policies_host: [] +shorewall_interfaces_host: [] +shorewall_rules_host: [] + diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..c6c4b43 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,11 @@ +--- +# validate config first +- name: restart shorewall + shell: shorewall check + notify: restart shorewall after check + +- name: restart shorewall after check + service: + name: shorewall + state: restarted + diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..f346155 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,73 @@ +--- + +galaxy_info: + author: Simon Weald + description: your description + company: + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: MIT + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + +ansigenome_info: + galaxy_id: '' + + travis: False + + synopsis: | + Describe your role in a few paragraphs.... + + usage: | + Describe how to use in more detail... + + #custom: | + # Any custom output you want after the usage section.. diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..3f80ad0 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: shorewall_config | merge shorewall zones + set_fact: + shorewall_zones: "{{ shorewall_zones_host + shorewall_zones_group + shorewall_zones_all + shorewall_zones_default }}" + +- name: shorewall_config | merge shorewall policies + set_fact: + shorewall_policies: "{{ shorewall_policies_host + shorewall_policies_group + shorewall_policies_all + shorewall_policies_default }}" + +- name: shorewall_config | merge shorewall interfaces + set_fact: + shorewall_interfaces: "{{ shorewall_interfaces_host + shorewall_interfaces_group + shorewall_interfaces_all + shorewall_interfaces_default }}" + +- name: shorewall_config | merge shorewall rules + set_fact: + shorewall_rules: "{{ shorewall_rules_host + shorewall_rules_group + shorewall_rules_all + shorewall_rules_default }}" + +- name: shorewall_config | template Shorewall defaults + template: + src: etc/default/shorewall.j2 + dest: /etc/default/shorewall + owner: root + group: root + mode: 0640 + notify: restart shorewall + +- name: shorewall_config | template Shorewall config + template: + src: "etc/shorewall/{{ item }}.j2" + dest: "/etc/shorewall/{{ item }}" + owner: root + group: root + mode: 0640 + loop: + - shorewall.conf + - interfaces + - params + - policy + - rules + - zones + notify: restart shorewall diff --git a/templates/etc/default/shorewall.j2 b/templates/etc/default/shorewall.j2 new file mode 100644 index 0000000..caa4e64 --- /dev/null +++ b/templates/etc/default/shorewall.j2 @@ -0,0 +1,53 @@ +# prevent startup with default configuration +# set the following varible to 1 in order to allow Shorewall to start + +{% if shorewall_config_opts['startup_enabled'] == 'Yes' %} +startup=1 +{% elif shorewall_config_opts['startup_enabled'] == 'No' %} +startup=0 +{% endif %} + +# If your Shorewall configuration requires detection of the ip address of a ppp +# interface, you must list such interfaces in "wait_interface" to get Shorewall +# to wait until the interface is configured. Otherwise the script will fail +# because it won't be able to detect the IP address. +# +# Example: +# wait_interface="ppp0" +# or +# wait_interface="ppp0 ppp1" +# or, if you have defined in /etc/shorewall/params +# wait_interface= + +# +# Global start/restart options +# +OPTIONS="" + +# +# Start options +# +STARTOPTIONS="" + +# +# Restart options +# +RELOADOPTIONS="" + +# +# Restart options +# +RESTARTOPTIONS="" + +# +# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf +# +INITLOG=/dev/null + +# +# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in +# a safe state rather than to open it +# +SAFESTOP=0 + +# EOF diff --git a/templates/etc/shorewall/interfaces.j2 b/templates/etc/shorewall/interfaces.j2 new file mode 100644 index 0000000..97aba9e --- /dev/null +++ b/templates/etc/shorewall/interfaces.j2 @@ -0,0 +1,20 @@ +# +# Shorewall - Sample shorewall_interfaces File for one-interface configuration. +# Copyright (C) 2006-2015 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-interfaces" +############################################################################### +?FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS + +{% for interface in shorewall_interfaces %} +{{ interface['zone'] }} {{ interface['name'] }} {{ interface['options']|join(',') }} +{% endfor %} \ No newline at end of file diff --git a/templates/etc/shorewall/params.j2 b/templates/etc/shorewall/params.j2 new file mode 100644 index 0000000..0c50d58 --- /dev/null +++ b/templates/etc/shorewall/params.j2 @@ -0,0 +1,24 @@ +# +# Shorewall -- /etc/shorewall/params +# +# Assign any variables that you need here. +# +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall programs +# +# Example: +# +# NET_IF=eth0 +# NET_BCAST=130.252.100.255 +# NET_OPTIONS=routefilter,norfc1918 +# +# Example (/etc/shorewall/interfaces record): +# +# net $NET_IF $NET_BCAST $NET_OPTIONS +# +# The result will be the same as if the record had been written +# +# net eth0 130.252.100.255 routefilter,norfc1918 +# +############################################################################### diff --git a/templates/etc/shorewall/policy.j2 b/templates/etc/shorewall/policy.j2 new file mode 100644 index 0000000..a36af3f --- /dev/null +++ b/templates/etc/shorewall/policy.j2 @@ -0,0 +1,20 @@ +# +# Shorewall - Sample Policy File for one-interface configuration. +# Copyright (C) 2006-2015 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#----------------------------------------------------------------------------- +# For information about entries in this file, type "man shorewall-policy" +############################################################################### +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +{% for policy in shorewall_policies %} +{{ policy['source'] }} {{ policy['dest'] }} {{ policy['policy'] }} {{ policy['log_level']|default('') }} +{% endfor %} + +# The FOLLOWING POLICY MUST BE LAST +all all REJECT info diff --git a/templates/etc/shorewall/rules.j2 b/templates/etc/shorewall/rules.j2 new file mode 100644 index 0000000..75fdc15 --- /dev/null +++ b/templates/etc/shorewall/rules.j2 @@ -0,0 +1,23 @@ +# +# Shorewall - Sample Rules File for one-interface configuration. +# Copyright (C) 2006-2014 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------------------------------------ +# For information on entries in this file, type "man shorewall-rules" +###################################################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER +# PORT PORT(S) DEST LIMIT GROUP +{% for section in shorewall_rules %} +?SECTION {{ section.section }} +{% if section.rules is defined %} +{% for rule in section.rules %} +{{ rule.action }} {{ rule.source }} {{ rule.dest }} {{ rule.proto }} {{ rule.dest_ports|join (',') }} +{% endfor %} +{% endif %} +{% endfor %} diff --git a/templates/etc/shorewall/shorewall.conf.j2 b/templates/etc/shorewall/shorewall.conf.j2 new file mode 100644 index 0000000..2324fb4 --- /dev/null +++ b/templates/etc/shorewall/shorewall.conf.j2 @@ -0,0 +1,288 @@ +############################################################################### +# +# Shorewall - Sample shorewall.conf for one-interface +# configuration. +# Copyright (C) 2006-2015 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +# +# For information about the settings in this file, type "man shorewall.conf" +# +# The manpage is also online at +# http://shorewall.net/manpages/shorewall.conf.html +# +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### + +STARTUP_ENABLED={{ shorewall_config_opts['startup_enabled'] }} + +############################################################################### +# V E R B O S I T Y +############################################################################### + +VERBOSITY={{ shorewall_config_opts['verbosity'] }} + +############################################################################### +# L O G G I N G +############################################################################### + +BLACKLIST_LOG_LEVEL= + +INVALID_LOG_LEVEL= + +LOG_BACKEND= + +LOG_MARTIANS={{ shorewall_config_opts['log_martians'] }} + +LOG_VERBOSITY={{ shorewall_config_opts['log_verbosity'] }} + +LOGALLNEW= + +LOGFILE={{ shorewall_config_opts['logfile'] }} + +LOGFORMAT="{{ shorewall_config_opts['logformat'] }}" + +LOGTAGONLY=No + +LOGLIMIT="{{ shorewall_config_opts['loglimit'] }}" + +MACLIST_LOG_LEVEL=info + +RELATED_LOG_LEVEL= + +RPFILTER_LOG_LEVEL=info + +SFILTER_LOG_LEVEL=info + +SMURF_LOG_LEVEL=info + +STARTUP_LOG={{ shorewall_config_opts['startup_log'] }} + +TCP_FLAGS_LOG_LEVEL=info + +UNTRACKED_LOG_LEVEL= + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### + +ARPTABLES= + +CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall + +GEOIPDIR=/usr/share/xt_geoip/LE + +IPTABLES= + +IP= + +IPSET= + +LOCKFILE= + +MODULESDIR= + +NFACCT= + +PERL=/usr/bin/perl + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +RESTOREFILE=restore + +SHOREWALL_SHELL=/bin/sh + +SUBSYSLOCK= + +TC= + +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### + +ACCEPT_DEFAULT="none" +DROP_DEFAULT="Drop" +NFQUEUE_DEFAULT="none" +QUEUE_DEFAULT="none" +REJECT_DEFAULT="Reject" + +############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' + +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### + +ACCOUNTING=Yes + +ACCOUNTING_TABLE=filter + +ADD_IP_ALIASES=No + +ADD_SNAT_ALIASES=No + +ADMINISABSENTMINDED=Yes + +BASIC_FILTERS=No + +IGNOREUNKNOWNVARIABLES=No + +AUTOCOMMENT=Yes + +AUTOHELPERS=Yes + +AUTOMAKE=No + +BLACKLIST="NEW,INVALID,UNTRACKED" + +CHAIN_SCRIPTS=No + +CLAMPMSS=No + +CLEAR_TC=Yes + +COMPLETE=No + +DEFER_DNS_RESOLUTION=Yes + +DISABLE_IPV6=No + +DELETE_THEN_ADD=Yes + +DETECT_DNAT_IPADDRS=No + +DONT_LOAD= + +DYNAMIC_BLACKLIST=Yes + +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes + +FASTACCEPT=No + +FORWARD_CLEAR_MARK= + +HELPERS= + +IMPLICIT_CONTINUE=No + +INLINE_MATCHES=Yes + +IPSET_WARNINGS=Yes + +IP_FORWARDING={{ shorewall_config_opts['ip_forwarding'] }} + +KEEP_RT_TABLES=No + +LOAD_HELPERS_ONLY=Yes + +MACLIST_TABLE=filter + +MACLIST_TTL= + +MANGLE_ENABLED=Yes + +MAPOLDACTIONS=No + +MARK_IN_FORWARD_CHAIN=No + +MODULE_SUFFIX="ko ko.xz" + +MULTICAST=No + +MUTEX_TIMEOUT=60 + +NULL_ROUTE_RFC1918=No + +OPTIMIZE=All + +OPTIMIZE_ACCOUNTING=No + +REJECT_ACTION= + +REQUIRE_INTERFACE=No + +RESTART=restart + +RESTORE_DEFAULT_ROUTE=Yes + +RESTORE_ROUTEMARKS=Yes + +RETAIN_ALIASES=No + +ROUTE_FILTER=No + +SAVE_ARPTABLES=No + +SAVE_IPSETS=No + +TC_ENABLED=Internal + +TC_EXPERT=No + +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + +TRACK_PROVIDERS=Yes + +TRACK_RULES=No + +USE_DEFAULT_RT=Yes + +USE_PHYSICAL_NAMES=No + +USE_RT_NAMES=No + +WARNOLDCAPVERSION=Yes + +WORKAROUNDS=No + +ZONE2ZONE=- + +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### + +BLACKLIST_DISPOSITION=DROP + +INVALID_DISPOSITION=CONTINUE + +MACLIST_DISPOSITION=REJECT + +RELATED_DISPOSITION=ACCEPT + +RPFILTER_DISPOSITION=DROP + +SMURF_DISPOSITION=DROP + +SFILTER_DISPOSITION=DROP + +TCP_FLAGS_DISPOSITION=DROP + +UNTRACKED_DISPOSITION=CONTINUE + +################################################################################ +# P A C K E T M A R K L A Y O U T +################################################################################ + +TC_BITS= + +PROVIDER_BITS= + +PROVIDER_OFFSET= + +MASK_BITS= + +ZONE_BITS=0 + +#LAST LINE -- DO NOT REMOVE diff --git a/templates/etc/shorewall/zones.j2 b/templates/etc/shorewall/zones.j2 new file mode 100644 index 0000000..9379516 --- /dev/null +++ b/templates/etc/shorewall/zones.j2 @@ -0,0 +1,18 @@ +# +# Shorewall - Sample Zones File for one-interface configuration. +# Copyright (C) 2006-2015 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#----------------------------------------------------------------------------- +# For information about entries in this file, type "man shorewall-zones" +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +{% for zone in shorewall_zones %} +{{ zone.name }} {{ zone.type }} +{% endfor %} diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..11a1676 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - shorewall \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..1e6f6b2 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for shorewall \ No newline at end of file