0

shorewall_simple

在基于Debian/CentOS的发行版的简单环境中设置和配置Shorewall的ansible角色。(An ansible role to setup and configure a Shorewall in a simple environment under Debian/CentOS based distro's.)

Github 資源庫
主要指標

Github星跟蹤圖

shorewall_simple

警告:此角色使用起来很危险。 如果通过错误配置防火墙而丢失与目标主机的网络连接,则可能无法在没有对计算机进行物理访问的情况下进行恢复。

此角色为Shorewall安装和配置一个简单的单一网络接口(当然可以是绑定)服务器。

要求

此角色需要Ansible 1.4或更高版本,并且元数据文件中列出了平台要求。

角色变量

可以传递给此角色的变量以及有关它们的简要说明如下。 这些都基于Shorewall配置的配置变量。 

shorewall_enabled: "Yes"
shorewall_startup: 1
shorewall_wait_interface: "eth0"
shorewall_options: ""
shorewall_startoptions: ""
shorewall_restartoptions: ""
shorewall_initlog: "/var/log/shorewall_init.log"
shorewall_safestop: 0
shorewall_zones:
- zone: "fw"
  type: "firewall"
- zone: "net"
  type: "ipv4"
  options="-"
  options_in="strict"
  options_out="-"
shorewall_interfaces: 
- interface: "eth0"
  zone: "net"
  broadcast: "detect"
  options: "dhcp,tcpflags,nosmurfs,logmartians"
shorewall_policies:
- source: "$FW"
  destination: "net"
  policy: "ACCEPT"
- source: "net"
  destination: "$FW"
  policy: "ACCEPT"
- source: "all"
  destination: "all"
  policy: "DROP"
  log_level: "info"
  burst_limit: "10/second:100"
shorewall_rules:
- section: "NEW"
  rules:
  - action: "ACCEPT"
    source: "net"
    destination: "$FW"
    protocol: "tcp"
    destination_port: 22
    source_port: "-"
    original_destination: "-"
    rate_limit: "-"
    user_group: "-"
    mark: "-"
    connection_limit: "-"
    time: "-"
    headers: "-"
    switch: "-"

示例

  1. 允许所有流量进出的示例
    • hosts: all
      • roles:
        • role: shorewall_simple shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw" type: "firewall"
          • zone: "net" type: "ipv4" shorewall_interfaces:
          • interface: "eth0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies:
          • source: "all" destination: "all" policy: "ACCEPT"
  2. 允许所有传出流量但阻止传入流量并记录它的示例,但允许传入的SSH流量并接受Ping
    • hosts: all
      • roles:
        • role: shorewall_simple shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw" type: "firewall"
          • zone: "net" type: "ipv4" shorewall_interfaces:
          • interface: "eth0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies:
          • source: "$FW" destination: "net" policy: "ACCEPT"
          • source: "net" destination: "$FW" policy: "DROP" log_level: "info"
          • source: "all" destination: "all" policy: "DROP" shorewall_rules:
          • section: "NEW" rules:
            • action: "Ping/ACCEPT" source: "net" destination: "$FW"
            • action: "ACCEPT" source: "net" destination: "$FW" protocol: "tcp" destination_port: 22

依赖关系

所有系统:

  • iptables

基于Red Hat的发行版:

  • EPEL

许可证

BSD

作者信息

Philippe Dellaert

主要指標

概覽
名稱與所有者pdellaert/shorewall_simple
主編程語言
編程語言 (語言數: 0)
平台Linux
許可證BSD 4-Clause "Original" or "Old" License
所有者活动
創建於2013-12-22 05:49:16
推送於2016-05-21 04:40:36
最后一次提交2015-11-16 23:02:36
發布數0
用户参与
星數9
關注者數2
派生數10
提交數3
已啟用問題?
問題數0
打開的問題數0
拉請求數1
打開的拉請求數0
關閉的拉請求數1
项目设置
已啟用Wiki?
已存檔?
是復刻?
已鎖定?
是鏡像?
是私有?

shorewall_simple

WARNING: This role can be dangerous to use. If you lose network connectivity
to your target host by incorrectly configuring your firewall, you may be
unable to recover without physical access to the machine.

This role installs and configures Shorewall for a simple, single network interface (can be a bond, of course) server.

Requirements

This role requires Ansible 1.4 or higher and platform requirements are listed
in the metadata file.

Role Variables

The variables that can be passed to this role and a brief description about
them are as follows. These are all based on the configuration variables of the
Shorewall configuration.

shorewall_enabled: "Yes"
shorewall_startup: 1
shorewall_wait_interface: "eth0"
shorewall_options: ""
shorewall_startoptions: ""
shorewall_restartoptions: ""
shorewall_initlog: "/var/log/shorewall_init.log"
shorewall_safestop: 0

shorewall_zones:
- zone: "fw"
  type: "firewall"
- zone: "net"
  type: "ipv4"
  options="-"
  options_in="strict"
  options_out="-"

shorewall_interfaces: 
- interface: "eth0"
  zone: "net"
  broadcast: "detect"
  options: "dhcp,tcpflags,nosmurfs,logmartians"

shorewall_policies:
- source: "$FW"
  destination: "net"
  policy: "ACCEPT"
- source: "net"
  destination: "$FW"
  policy: "ACCEPT"
- source: "all"
  destination: "all"
  policy: "DROP"
  log_level: "info"
  burst_limit: "10/second:100"

shorewall_rules:
- section: "NEW"
  rules:
  - action: "ACCEPT"
    source: "net"
    destination: "$FW"
    protocol: "tcp"
    destination_port: 22
    source_port: "-"
    original_destination: "-"
    rate_limit: "-"
    user_group: "-"
    mark: "-"
    connection_limit: "-"
    time: "-"
    headers: "-"
    switch: "-"

Examples

  1. Example allowing all traffic in and out

    • hosts: all
      • roles:
        • role: shorewall_simple
          shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw"
            type: "firewall"
          • zone: "net"
            type: "ipv4"
            shorewall_interfaces:
          • interface: "eth0"
            zone: "net"
            broadcast: "detect"
            options: "dhcp,tcpflags,nosmurfs,logmartians"
            shorewall_policies:
          • source: "all"
            destination: "all"
            policy: "ACCEPT"

  2. Example allowing all outgoing traffic but block incomming traffic and log
    it, but allow incomming SSH traffic and accept Ping

    • hosts: all
      • roles:
        • role: shorewall_simple
          shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw"
            type: "firewall"
          • zone: "net"
            type: "ipv4"
            shorewall_interfaces:
          • interface: "eth0"
            zone: "net"
            broadcast: "detect"
            options: "dhcp,tcpflags,nosmurfs,logmartians"
            shorewall_policies:
          • source: "$FW"
            destination: "net"
            policy: "ACCEPT"
          • source: "net"
            destination: "$FW"
            policy: "DROP"
            log_level: "info"
          • source: "all"
            destination: "all"
            policy: "DROP"
            shorewall_rules:
          • section: "NEW"
            rules:
            • action: "Ping/ACCEPT"
              source: "net"
              destination: "$FW"
            • action: "ACCEPT"
              source: "net"
              destination: "$FW"
              protocol: "tcp"
              destination_port: 22

Dependencies

All systems:

  • iptables

Red Hat based distributions:

  • EPEL

License

BSD

Author Information

Philippe Dellaert