Manage and configure the ferm firewall. Send separate configuration file per groups.
You may need to change ansible hash
from replace to merge .
- ferm package
- roles/ansible-role-ferm-firewall/defaults/main.yml
- this is used in case there is no ferm_rules defined any where else
Example configuration:
- group_vars/all/all
- this can have a ferm_rules defined - used on all hosts
- group_vars/group/group.yml
- this can have a ferm_rules_extra defined - used in addition to the ferm_rules
To configure ferm, you need to provide a key to associate a set of rules to a role/software. This way, rules splited in multiple var-files won't overwrite each other. By default, if domains isn't defined, it will apply rules to ip6 and ip domains. Configuration exemple:
---
# Your default ferm rules for all hosts
ferm_rules:
# Create a file in /etc/ferm/ferm.d/default.conf
default:
- chain: INPUT
rules:
- {rule: "policy DROP;", comment: "global policy"}
- {rule: "mod state state INVALID DROP;", comment: "connection tracking: drop"}
- {rule: "mod state state (ESTABLISHED RELATED) ACCEPT;", comment: "connection tracking"}
- {rule: "interface lo ACCEPT;", comment: "allow local packet"}
- {rule: "proto icmp ACCEPT;", comment: "respond to ping"}
- {rule: "proto tcp dport ssh ACCEPT;", comment: "allow SSH connections"}
# Different set of rules on ip / ip6
- chain: OUTPUT
domains:
- ip
rules:
- rule: "policy ACCEPT;"
comment: global policy
- chain: OUTPUT
domains:
- ip6
rules:
- rule: "policy DROP;"
comment: global policy ip6
- chain: FORWARD
domains: [ip, ip6]
rules:
- rule: "policy DROP;"
comment: global policy
- rule: "mod state state INVALID DROP;"
comment: "connection tracking: drop"
- rule: "mod state state (ESTABLISHED RELATED) ACCEPT;"
comment: "connection tracking"
- None
Ferm rules are hash instead of array. The main reason is to be able to merge hashes when configure same host with different roles.
Inventory:
[mongodb]
MachineA
[rabbitmq]
MachineA
Playbook:
---
- hosts: mongodb
vars:
- ferm_rules:
mongodb:
- chain: INPUT
rules:
- {rule: "proto tcp dport (27017) ACCEPT;", comment: "MongoDB mongo shard/repl servers"}
- {rule: "proto tcp dport (27701 27702 27703) ACCEPT;", comment: "MongoDB mongo configurati\
on servers" }
- {rule: "proto tcp dport (27801) ACCEPT;", comment: "MongoDB mongo router server (mongos)"\
}
roles:
- ferm-firewall
- hosts: kvm
vars:
- ferm_rules:
rabbitmq_nat:
- table: nat
chain: PREROUTING
rules:
- rule: "proto tcp dport 5672 DNAT to 192.168.0.2:5672"
comment: "nat rabbitmq to host"
- table: nat
chain: OUTPUT
rules:
- rule: "outerface lo proto tcp dport 5672 DNAT to 192.168.0.2:5672;"
- hosts: rabbitmq
vars:
- ferm_rules:
rabbitmq:
- chain: INPUT
domains: [ip]
rules:
- rule: "proto tcp dport (5672) ACCEPT;"
comment: "Rabbitmq-server"
roles:
- ferm-firewall
Result:
- /etc/ferm/ferm.d/mongodb.conf
domain (ip ip6) table filter {
chain INPUT {
# MongoDB mongo shard/repl servers
proto tcp dport (27017) ACCEPT;
# MongoDB mongo configuration servers
proto tcp dport (27701 27702 27703) ACCEPT;
# MongoDB mongo router server (mongos)
proto tcp dport (27801) ACCEPT;
}
}
- /etc/ferm/ferm.d/rabbitmq.conf
domain (ip ) table filter {
chain INPUT {
# Rabbitmq-server
proto tcp dport (5672) ACCEPT;
}
}
- /etc/ferm/ferm.d/rabbitmq_nat.conf
table nat {
chain PREROUTING {
# nat rabbitmq to host
proto tcp dport 5672 DNAT to 192.168.0.2:5672;
}
}
table nat {
chain OUTPUT {
# outerface rabbitmq
outerface lo proto tcp dport 5672 DNAT to 192.168.0.2:5672;
}
}
MIT