diff --git a/.README.html b/.README.html index 0ac8a4e4..0fcfc865 100644 --- a/.README.html +++ b/.README.html @@ -187,6 +187,11 @@
default without detailed parameter set to true
"default": {
+class="sourceCode json">"default": {
"zones": ["public",...],
"services": ["amanda_client",...],
"icmptypes": [...],
@@ -321,7 +326,7 @@ default
}default when parameter set to true
"default": {
+class="sourceCode json">"default": {
"zones": {
"public": {
...
@@ -362,7 +367,7 @@ custom
Below is the state of the custom subdictionary where at least one
permanent change was made to each setting:
"custom": {
+class="sourceCode json">"custom": {
"zones": {
"custom_zone": {
...
@@ -542,7 +547,12 @@ ipset
source to add and remove ipsets from a zone
When creating an ipset, you must also specify
ipset_type, and optionally short,
-description, ipset_entries
+description, ipset_entries and
+ipset_options.
+NOTE: You cannot mix IPv4, IPv6, and MAC addresses
+in the same ipset_entries list. All addresses must be the
+same IP type. This is a limitation of the underlying firewalld
+implementation.
Defining an ipset with all optional fields:
firewall:
@@ -556,72 +566,119 @@ ipset
- 3.3.3.3
- 8.8.8.8
- 127.0.0.1
- state: present
- permanent: true
-Adding an entry to an existing ipset
+ ipset_options:
+ maxelem: 1000
+ state: present
+ permanent: true
+Defining an ipset with IPv6 addresses:
firewall:
- ipset: customipset
- ipset_entries:
- - 127.0.0.2
- state: present
- permanent: true
-Changing the short and description of an ipset
+ ipset_type: "hash:ip"
+ short: Custom IPSet
+ description: set of ip addresses specified in entries
+ ipset_entries:
+ - 2001:db8::/32
+ ipset_options:
+ maxelem: 1000
+ state: present
+ permanent: trueAdding an entry to an existing ipset
firewall:
- ipset: customipset
- short: Custom
- description: Set of IPv4 addresses
+ ipset_entries:
+ - 127.0.0.2
state: present
permanent: trueRemoving entries from an ipset
+Changing the short and description of an ipset
firewall:
- ipset: customipset
- ipset_entries:
- - 127.0.0.1
- - 127.0.0.2
- state: absent
- permanent: trueRemoving an ipset
+ short: Custom + description: Set of IPv4 addresses + state: present + permanent: true +Removing entries from an ipset
firewall:
- ipset: customipset
- state: absent
- permanent: trueRemoving an ipset
+firewall:
+ - ipset: customipset
+ state: absent
+ permanent: truePort or port range or a list of them to add or remove inbound access
to. It needs to be in the format
<port>[-<port>]/<protocol>.
port: '443/tcp'
-port: ['443/tcp','443/udp']port: '443/tcp'
+port: ['443/tcp','443/udp']Type of ipset being defined. Used with ipset.
For a list of available ipset types, run
firewall-cmd --get-ipset-types, there is no method to get
supported types from this role.
ipset: customipset
-ipset_type: hash:macipset: customipset
+ipset_type: hash:macSee ipset for more usage information
List of addresses to add or remove from an ipset Used with
ipset
Entries must be compatible with the ipset type of the
ipset being created or modified.
ipset: customipset
-ipset_entries:
- - 127.0.0.1NOTE: You cannot mix IPv4, IPv6, and MAC addresses
+in the same ipset_entries list. All addresses must be the
+same IP type. This is a limitation of the underlying firewalld
+implementation.
ipset: customipset
+ipset_entries:
+ - 127.0.0.1See ipset for more usage information
A dict of key/value pairs of ipset options for the given
+ipset. See firewalld
+ipset options for more information.
You usually do not have to specify the family. The role will default
+to family: inet if ipset_entries contains IPv4
+addresses, and will default to family: inet6 if
+ipset_entries contains IPv6 addresses
ipset_options:
+ maxelem: 1000
+ hashsize: 512NOTE: Options cannot be modified or removed if
+running the role during a container or image build (e.g. in a
+bootc Containerfile).
If you want to remove an option, set state: absent, and
+set the option value to null:
state: absent
+ipset_options:
+ maxelem: nullThis will remove the maxelem option. If you specify a
+value, then the role will only remove that option if it matches the
+value. This is useful if you want to ensure that the value you are
+removing is the expected value, and has not be changed outside of the
+role.
Port or port range or a list of them to add or remove source port
access to. It needs to be in the format
<port>[-<port>]/<protocol>.
source_port: '443/tcp'
-source_port: ['443/tcp','443/udp']source_port: '443/tcp'
+source_port: ['443/tcp','443/udp']Add or remove port forwarding for ports or port ranges for a zone. It takes two different formats:
@@ -632,53 +689,53 @@ansible.posix.firewalld:forward_port:
- port: <port>
- proto: <protocol>
- [toport: <to-port>]
- [toaddr: <to-addr>]forward_port:
+ port: <port>
+ proto: <protocol>
+ [toport: <to-port>]
+ [toaddr: <to-addr>]examples
-forward_port: '447/tcp;;1.2.3.4'
-forward_port: ['447/tcp;;1.2.3.4','448/tcp;;1.2.3.5']
-forward_port:
- - 447/tcp;;1.2.3.4
- - 448/tcp;;1.2.3.5
-forward_port:
- - port: 447
- proto: tcp
- toaddr: 1.2.3.4
- - port: 448
- proto: tcp
- toaddr: 1.2.3.5forward_port: '447/tcp;;1.2.3.4'
+forward_port: ['447/tcp;;1.2.3.4','448/tcp;;1.2.3.5']
+forward_port:
+ - 447/tcp;;1.2.3.4
+ - 448/tcp;;1.2.3.5
+forward_port:
+ - port: 447
+ proto: tcp
+ toaddr: 1.2.3.4
+ - port: 448
+ proto: tcp
+ toaddr: 1.2.3.5port_forward is an alias for forward_port.
Its use is deprecated and will be removed in an upcoming release.
Enable or disable masquerade on the given zone.
-masquerade: falsemasquerade: falseString or list of rich rule strings. For the format see (Syntax for firewalld rich language rules)[https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html]
-rich_rule: rule service name="ftp" audit limit value="1/m" acceptrich_rule: rule service name="ftp" audit limit value="1/m" acceptList of source address address range strings, or ipsets. A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number.
-source: 192.0.2.0/24source: 192.0.2.0/24Ipsets are used with this option by prefixing "ipset:" to the name of the ipset
-source: ipset:ipsetnamesource: ipset:ipsetnameString or list of interface name strings.
-interface: eth2interface: eth2This role handles interface arguments similar to how firewalld's cli,
firewall-cmd does, i.e. manages the interface through
NetworkManager if possible, and handles the interface binding purely
@@ -707,9 +764,9 @@
# PCI id for Intel Corporation Ethernet Connection
-interface_pci_id: 8086:15d7# PCI id for Intel Corporation Ethernet Connection
+interface_pci_id: 8086:15d7Only accepts PCI devices IDs that correspond to a named network interface, and converts all PCI device IDs to their respective logical interface names.
@@ -724,31 +781,31 @@String or list of ICMP type strings to block. The ICMP type names needs to be defined in firewalld configuration.
-icmp_block: echo-requesticmp_block: echo-requestICMP block inversion bool setting. It enables or disables inversion of ICMP blocks for a zone in firewalld.
-icmp_block_inversion: trueicmp_block_inversion: trueThe firewalld zone target. If the state is set to
absent,this will reset the target to default. Valid values
are "default", "ACCEPT", "DROP", "%%REJECT%%".
target: ACCEPTtarget: ACCEPTShort description, only usable when defining or modifying a service
or ipset. See service or ipset for more usage
information.
short: Short Descriptionshort: Short DescriptionDescription for a service, only usable when adding a new service or
modifying an existing service. See service or
ipset for more information
description: Your description goes heredescription: Your description goes herelist of destination addresses, option only implemented for user-defined services. Takes 0-2 addresses, allowing for one IPv4 @@ -759,16 +816,16 @@
destination:
- - 1.1.1.0/24
- - AAAA::AAAA:AAAAdestination:
+ - 1.1.1.0/24
+ - AAAA::AAAA:AAAAName of a connection tracking helper supported by firewalld.
-# Both properly specify nf_conntrack_ftp
-helper_module: ftp
-helper_module: nf_conntrack_ftp# Both properly specify nf_conntrack_ftp
+helper_module: ftp
+helper_module: nf_conntrack_ftpName of one or more services to specify in an includes
in a service definition. The includes directive is
@@ -777,10 +834,10 @@
includes support is only available in EL8 and
higher.
-includes:
- - https
- - ldapsincludes:
+ - https
+ - ldapsThe amount of time in seconds a setting is in effect. The timeout is usable if
@@ -790,24 +847,24 @@timeout: 60
-state: enabled
-service: httpstimeout: 60
+state: enabled
+service: httpsEnable or disable the entry.
-state: 'enabled' | 'disabled' | 'present' | 'absent'state: 'enabled' | 'disabled' | 'present' | 'absent'NOTE: present and absent are only used for
zone, target, and service
operations, and cannot be used for any other operation.
NOTE: zone - use state: present to add a
zone, and state: absent to remove a zone, when zone is the
only variable e.g.
firewall:
- - zone: my-new-zone
- state: presentfirewall:
+ - zone: my-new-zone
+ state: presentNOTE: target - you can also use
state: present to add a target - state: absent
will reset the target to the default.
Enable changes in runtime configuration. If runtime
parameter is not provided, the default will be set to
True.
runtime: trueruntime: trueEnable changes in permanent configuration. If permanent
parameter is not provided, the default will be set to
True.
permanent: truepermanent: trueThe permanent and runtime settings are independent, so you can set
only the runtime, or only the permanent. You cannot set both permanent
and runtime to false.
firewall_transactional_update_reboot_ok: truefirewall_transactional_update_reboot_ok: trueBy default, any changes will be applied immediately, and to the permanent settings. If you want the changes to apply immediately but not @@ -859,126 +916,126 @@
runtime: false.
Permit TCP traffic for port 80 in default zone, in addition to any existing configuration:
-firewall:
- - port: 80/tcp
- state: enabledRemove all existing firewall configuration, and permit TCP traffic -for port 80 in default zone:
-firewall:
- - previous: replaced
- - port: 80/tcp
- state: enabledDo not permit TCP traffic for port 80 in default zone:
-firewall:
- - port: 80/tcp
- state: disabledAdd masquerading to dmz zone:
firewall:
- - masquerade: true
- zone: dmz
- state: enabledRemove masquerading to dmz zone:
+ - port: 80/tcp + state: enabled +Remove all existing firewall configuration, and permit TCP traffic +for port 80 in default zone:
firewall:
- - masquerade: false
- zone: dmz
+ - previous: replaced
+ - port: 80/tcp
state: enabledAllow interface eth2 in trusted zone:
+Do not permit TCP traffic for port 80 in default zone:
firewall:
- - interface: eth2
- zone: trusted
- state: enabledDon't allow interface eth2 in trusted zone:
+ - port: 80/tcp + state: disabled +Add masquerading to dmz zone:
firewall:
- - interface: eth2
- zone: trusted
- state: disabledPermit traffic in default zone for https service:
+ - masquerade: true + zone: dmz + state: enabled +Remove masquerading to dmz zone:
firewall:
- - service: https
- state: enabledDo not permit traffic in default zone for https service:
+ - masquerade: false + zone: dmz + state: enabled +Allow interface eth2 in trusted zone:
firewall:
- - service: https
- state: disabledAllow interface with PCI device ID '8086:15d7' in dmz zone
+ - interface: eth2 + zone: trusted + state: enabled +Don't allow interface eth2 in trusted zone:
firewall:
- - zone: dmz
- interface_pci_id: 8086:15d7
- state: enabledErase all existing configuration, and enable ssh service:
+ - interface: eth2 + zone: trusted + state: disabled +Permit traffic in default zone for https service:
---
-- name: Erase existing config and enable ssh service
- hosts: myhost
-
- vars:
- firewall:
- - previous: replaced
- - service: ssh
- state: enabled
- roles:
- - linux-system-roles.firewallWith this playbook you can make sure that the tftp service is -disabled in the firewall:
+class="sourceCode yaml">firewall:
+ - service: https
+ state: enabled
+Do not permit traffic in default zone for https service:
---
-- name: Make sure tftp service is disabled
- hosts: myhost
-
- vars:
- firewall:
- - service: tftp
- state: disabled
- roles:
- - linux-system-roles.firewallIt is also possible to combine several settings into blocks:
+class="sourceCode yaml">firewall:
+ - service: https
+ state: disabled
+Allow interface with PCI device ID '8086:15d7' in dmz zone
---
-- name: Configure firewall
- hosts: myhost
-
- vars:
- firewall:
- - {service: [tftp,ftp],
- port: ['443/tcp','443/udp'],
- state: enabled}
- - {forward_port: [eth2;447/tcp;;1.2.3.4,
- eth2;448/tcp;;1.2.3.5],
- state: enabled}
- - {zone: internal, service: tftp, state: enabled}
- - {service: tftp, state: enabled}
- - {port: '443/tcp', state: enabled}
- - {forward_port: 'eth0;445/tcp;;1.2.3.4', state: enabled}
- roles:
- - linux-system-roles.firewallThe block with several services, ports, etc. will be applied at once. -If there is something wrong in the block it will fail as a whole.
+class="sourceCode yaml">firewall:
+ - zone: dmz
+ interface_pci_id: 8086:15d7
+ state: enabled
+Erase all existing configuration, and enable ssh service:
---
-- name: Configure external zone in firewall
+- name: Erase existing config and enable ssh service
hosts: myhost
vars:
firewall:
- - {zone: external,
- service: [tftp,ftp],
- port: ['443/tcp','443/udp'],
- forward_port: ['447/tcp;;1.2.3.4',
- '448/tcp;;1.2.3.5'],
- state: enabled}
- roles:
- - linux-system-roles.firewallWith this playbook you can make sure that the tftp service is +disabled in the firewall:
+---
+- name: Make sure tftp service is disabled
+ hosts: myhost
+
+ vars:
+ firewall:
+ - service: tftp
+ state: disabled
+ roles:
+ - linux-system-roles.firewallIt is also possible to combine several settings into blocks:
+---
+- name: Configure firewall
+ hosts: myhost
+
+ vars:
+ firewall:
+ - {service: [tftp,ftp],
+ port: ['443/tcp','443/udp'],
+ state: enabled}
+ - {forward_port: [eth2;447/tcp;;1.2.3.4,
+ eth2;448/tcp;;1.2.3.5],
+ state: enabled}
+ - {zone: internal, service: tftp, state: enabled}
+ - {service: tftp, state: enabled}
+ - {port: '443/tcp', state: enabled}
+ - {forward_port: 'eth0;445/tcp;;1.2.3.4', state: enabled}
+ roles:
+ - linux-system-roles.firewallThe block with several services, ports, etc. will be applied at once. +If there is something wrong in the block it will fail as a whole.
+---
+- name: Configure external zone in firewall
+ hosts: myhost
+
+ vars:
+ firewall:
+ - {zone: external,
+ service: [tftp,ftp],
+ port: ['443/tcp','443/udp'],
+ forward_port: ['447/tcp;;1.2.3.4',
+ '448/tcp;;1.2.3.5'],
+ state: enabled}
+ roles:
+ - linux-system-roles.firewallSee README-ostree.md