ansible/ansible-shorewall
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Simon Weald
2018-08-21 10:11:31 +01:00
commit e1bcd8bac1
15 changed files with 697 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
README.md Normal file
View File

@@ -0,0 +1,78 @@
## shorewall
<!-- This file was generated by Ansigenome. Do not edit this file directly but
instead have a look at the files in the ./meta/ directory. -->
Describe your role in a few paragraphs....
### Role variables
List of default variables available in the inventory:
```YAML
---
shorewall_config_opts:
startup_enabled: 'Yes'
verbosity: '1' # [0=Silent|1=Major|2=All]
log_level: 'info'
log_martians: 'Yes'
log_verbosity: '2' # [-1=disabled|0=Silent|1=Major|2=All]
logfile: '/var/log/messages.log'
logformat: 'Shorewall:%s:%s:'
loglimit: 's:1/sec:10'
startup_log: '/var/log/shorewall-init.log'
docker: 'No' # shorewall5 only
ip_forwarding: 'On' # [On|Off|Keep]
# default policies go here (if you wish to define them in the role)
shorewall_interfaces_default: []
shorewall_policies_default: []
shorewall_rules_default: []
shorewall_zones_default: []
## define possible overrides so we're not left with empty lists
# define in group_vars/all
shorewall_zones_all: []
shorewall_policies_all: []
shorewall_interfaces_all: []
shorewall_rules_all: []
# define in group_vars/groupname
shorewall_zones_group: []
shorewall_policies_group: []
shorewall_interfaces_group: []
shorewall_rules_group: []
# define in host_vars/hostname
shorewall_zones_host: []
shorewall_policies_host: []
shorewall_interfaces_host: []
shorewall_rules_host: []
```
List of internal variables used by the role:
shorewall_rules
shorewall_interfaces
shorewall_zones
shorewall_policies
### Detailed usage guide
Describe how to use in more detail...
### Authors and license
`shorewall` role was written by:
- [Simon Weald](https://www.simonweald.com) | [e-mail](mailto:simon@simonweald.com) | [Twitter](https://twitter.com/analbeard)
License: [MIT](https://tldrlegal.com/license/mit-license)
***
README generated by [Ansigenome](https://github.com/nickjj/ansigenome/).

39
defaults/main.yml Normal file
View File

@@ -0,0 +1,39 @@
---
shorewall_config_opts:
startup_enabled: 'Yes'
verbosity: '1' # [0=Silent|1=Major|2=All]
log_level: 'info'
log_martians: 'Yes'
log_verbosity: '2' # [-1=disabled|0=Silent|1=Major|2=All]
logfile: '/var/log/messages.log'
logformat: 'Shorewall:%s:%s:'
loglimit: 's:1/sec:10'
startup_log: '/var/log/shorewall-init.log'
docker: 'No' # shorewall5 only
ip_forwarding: 'On' # [On|Off|Keep]
# default policies go here (if you wish to define them in the role)
shorewall_interfaces_default: []
shorewall_policies_default: []
shorewall_rules_default: []
shorewall_zones_default: []
## define possible overrides so we're not left with empty lists
# define in group_vars/all
shorewall_zones_all: []
shorewall_policies_all: []
shorewall_interfaces_all: []
shorewall_rules_all: []
# define in group_vars/groupname
shorewall_zones_group: []
shorewall_policies_group: []
shorewall_interfaces_group: []
shorewall_rules_group: []
# define in host_vars/hostname
shorewall_zones_host: []
shorewall_policies_host: []
shorewall_interfaces_host: []
shorewall_rules_host: []

11
handlers/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
# validate config first
- name: restart shorewall
shell: shorewall check
notify: restart shorewall after check
- name: restart shorewall after check
service:
name: shorewall
state: restarted

73
meta/main.yml Normal file
View File

@@ -0,0 +1,73 @@
---
galaxy_info:
author: Simon Weald
description: your description
company:
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: MIT
min_ansible_version: 1.2
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# platforms is a list of platforms, and each platform has a name and a list of versions.
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
ansigenome_info:
galaxy_id: ''
travis: False
synopsis: |
Describe your role in a few paragraphs....
usage: |
Describe how to use in more detail...
#custom: |
# Any custom output you want after the usage section..

41
tasks/main.yml Normal file
View File

@@ -0,0 +1,41 @@
---
- name: shorewall_config | merge shorewall zones
set_fact:
shorewall_zones: "{{ shorewall_zones_host + shorewall_zones_group + shorewall_zones_all + shorewall_zones_default }}"
- name: shorewall_config | merge shorewall policies
set_fact:
shorewall_policies: "{{ shorewall_policies_host + shorewall_policies_group + shorewall_policies_all + shorewall_policies_default }}"
- name: shorewall_config | merge shorewall interfaces
set_fact:
shorewall_interfaces: "{{ shorewall_interfaces_host + shorewall_interfaces_group + shorewall_interfaces_all + shorewall_interfaces_default }}"
- name: shorewall_config | merge shorewall rules
set_fact:
shorewall_rules: "{{ shorewall_rules_host + shorewall_rules_group + shorewall_rules_all + shorewall_rules_default }}"
- name: shorewall_config | template Shorewall defaults
template:
src: etc/default/shorewall.j2
dest: /etc/default/shorewall
owner: root
group: root
mode: 0640
notify: restart shorewall
- name: shorewall_config | template Shorewall config
template:
src: "etc/shorewall/{{ item }}.j2"
dest: "/etc/shorewall/{{ item }}"
owner: root
group: root
mode: 0640
loop:
- shorewall.conf
- interfaces
- params
- policy
- rules
- zones
notify: restart shorewall

53
templates/etc/default/shorewall.j2 Normal file
View File

@@ -0,0 +1,53 @@
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
{% if shorewall_config_opts['startup_enabled'] == 'Yes' %}
startup=1
{% elif shorewall_config_opts['startup_enabled'] == 'No' %}
startup=0
{% endif %}
# If your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall
# to wait until the interface is configured. Otherwise the script will fail
# because it won't be able to detect the IP address.
#
# Example:
# wait_interface="ppp0"
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall/params
# wait_interface=
#
# Global start/restart options
#
OPTIONS=""
#
# Start options
#
STARTOPTIONS=""
#
# Restart options
#
RELOADOPTIONS=""
#
# Restart options
#
RESTARTOPTIONS=""
#
# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
#
INITLOG=/dev/null
#
# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
# a safe state rather than to open it
#
SAFESTOP=0
# EOF

20
templates/etc/shorewall/interfaces.j2 Normal file
View File

@@ -0,0 +1,20 @@
#
# Shorewall - Sample shorewall_interfaces File for one-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
{% for interface in shorewall_interfaces %}
{{ interface['zone'] }} {{ interface['name'] }} {{ interface['options']|join(',') }}
{% endfor %}

24
templates/etc/shorewall/params.j2 Normal file
View File

@@ -0,0 +1,24 @@
#
# Shorewall -- /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 routefilter,norfc1918
#
###############################################################################

20
templates/etc/shorewall/policy.j2 Normal file
View File

@@ -0,0 +1,20 @@
#
# Shorewall - Sample Policy File for one-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#-----------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
{% for policy in shorewall_policies %}
{{ policy['source'] }} {{ policy['dest'] }} {{ policy['policy'] }} {{ policy['log_level']|default('') }}
{% endfor %}
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info

23
templates/etc/shorewall/rules.j2 Normal file
View File

@@ -0,0 +1,23 @@
#
# Shorewall - Sample Rules File for one-interface configuration.
# Copyright (C) 2006-2014 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------------------------------------
# For information on entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
{% for section in shorewall_rules %}
?SECTION {{ section.section }}
{% if section.rules is defined %}
{% for rule in section.rules %}
{{ rule.action }} {{ rule.source }} {{ rule.dest }} {{ rule.proto }} {{ rule.dest_ports|join (',') }}
{% endfor %}
{% endif %}
{% endfor %}

288
templates/etc/shorewall/shorewall.conf.j2 Normal file
View File

@@ -0,0 +1,288 @@
###############################################################################
#
# Shorewall - Sample shorewall.conf for one-interface
# configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#
# For information about the settings in this file, type "man shorewall.conf"
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED={{ shorewall_config_opts['startup_enabled'] }}
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY={{ shorewall_config_opts['verbosity'] }}
###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS={{ shorewall_config_opts['log_martians'] }}
LOG_VERBOSITY={{ shorewall_config_opts['log_verbosity'] }}
LOGALLNEW=
LOGFILE={{ shorewall_config_opts['logfile'] }}
LOGFORMAT="{{ shorewall_config_opts['logformat'] }}"
LOGTAGONLY=No
LOGLIMIT="{{ shorewall_config_opts['loglimit'] }}"
MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG={{ shorewall_config_opts['startup_log'] }}
TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
ARPTABLES=
CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT="none"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Reject"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
BASIC_FILTERS=No
IGNOREUNKNOWNVARIABLES=No
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=No
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING={{ shorewall_config_opts['ip_forwarding'] }}
KEEP_RT_TABLES=No
LOAD_HELPERS_ONLY=Yes
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No
MODULE_SUFFIX="ko ko.xz"
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
REJECT_ACTION=
REQUIRE_INTERFACE=No
RESTART=restart
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZONE2ZONE=-
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
#LAST LINE -- DO NOT REMOVE

18
templates/etc/shorewall/zones.j2 Normal file
View File

@@ -0,0 +1,18 @@
#
# Shorewall - Sample Zones File for one-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#-----------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
{% for zone in shorewall_zones %}
{{ zone.name }} {{ zone.type }}
{% endfor %}

2
tests/inventory Normal file
View File

@@ -0,0 +1,2 @@
localhost

5
tests/test.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- shorewall

2
vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for shorewall