shorewall_simple
警告:此角色使用起来很危险。 如果通过错误配置防火墙而丢失与目标主机的网络连接,则可能无法在没有对计算机进行物理访问的情况下进行恢复。
此角色为Shorewall安装和配置一个简单的单一网络接口(当然可以是绑定)服务器。
要求
此角色需要Ansible 1.4或更高版本,并且元数据文件中列出了平台要求。
角色变量
可以传递给此角色的变量以及有关它们的简要说明如下。 这些都基于Shorewall配置的配置变量。
shorewall_enabled: "Yes" shorewall_startup: 1 shorewall_wait_interface: "eth0" shorewall_options: "" shorewall_startoptions: "" shorewall_restartoptions: "" shorewall_initlog: "/var/log/shorewall_init.log" shorewall_safestop: 0 shorewall_zones: - zone: "fw" type: "firewall" - zone: "net" type: "ipv4" options="-" options_in="strict" options_out="-" shorewall_interfaces: - interface: "eth0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies: - source: "$FW" destination: "net" policy: "ACCEPT" - source: "net" destination: "$FW" policy: "ACCEPT" - source: "all" destination: "all" policy: "DROP" log_level: "info" burst_limit: "10/second:100" shorewall_rules: - section: "NEW" rules: - action: "ACCEPT" source: "net" destination: "$FW" protocol: "tcp" destination_port: 22 source_port: "-" original_destination: "-" rate_limit: "-" user_group: "-" mark: "-" connection_limit: "-" time: "-" headers: "-" switch: "-"
示例
- 允许所有流量进出的示例
- hosts: all
- roles:
- role: shorewall_simple
shorewall_enabled: "Yes"
shorewall_zones:- zone: "fw" type: "firewall"
- zone: "net" type: "ipv4" shorewall_interfaces:
- interface: "eth0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies:
- source: "all" destination: "all" policy: "ACCEPT"
- role: shorewall_simple
shorewall_enabled: "Yes"
- roles:
- hosts: all
- 允许所有传出流量但阻止传入流量并记录它的示例,但允许传入的SSH流量并接受Ping
- hosts: all
- roles:
- role: shorewall_simple
shorewall_enabled: "Yes"
shorewall_zones:- zone: "fw" type: "firewall"
- zone: "net" type: "ipv4" shorewall_interfaces:
- interface: "eth0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies:
- source: "$FW" destination: "net" policy: "ACCEPT"
- source: "net" destination: "$FW" policy: "DROP" log_level: "info"
- source: "all" destination: "all" policy: "DROP" shorewall_rules:
- section: "NEW"
rules:
- action: "Ping/ACCEPT" source: "net" destination: "$FW"
- action: "ACCEPT" source: "net" destination: "$FW" protocol: "tcp" destination_port: 22
- role: shorewall_simple
shorewall_enabled: "Yes"
- roles:
- hosts: all
依赖关系
所有系统:
- iptables
基于Red Hat的发行版:
- EPEL
许可证
BSD
作者信息
Philippe Dellaert