Role - tripleo-firewall¶
Role Documentation¶
Welcome to the “tripleo_firewall” role documentation.
Role Defaults¶
This section highlights all of the defaults and variables set within the “tripleo_firewall” role.
# All variables intended for modification should be placed in this file.
# All variables within this role should have a prefix of "tripleo_firewall"
# Example rule definition
#
# '003 accept ssh from all':
# proto: 'tcp'
# dport: 22
# '002 remove ssh from all':
# proto: 'tcp'
# dport: 22
# extras:
# ensure: 'absent'
tripleo_firewall_rules: {}
tripleo_firewall_frontend_enabled: false
tripleo_firewall_frontend_rules: {}
tripleo_firewall_ssl_frontend_enabled: false
tripleo_firewall_ssl_frontend_rules: {}
tripleo_firewall_edge_frontend_enabled: false
tripleo_firewall_edge_frontend_rules: {}
tripleo_firewall_edge_ssl_frontend_rules: {}
tripleo_firewall_default_rules:
000 accept related established rules:
proto: all
state:
- RELATED
- ESTABLISHED
001 accept all icmp:
ipversion: ipv4
proto: icmp
001 accept all ipv6-icmp:
ipversion: ipv6
proto: ipv6-icmp
002 accept all to lo interface:
proto: all
interface: lo
004 accept ipv6 dhcpv6:
ipversion: ipv6
dport: 546
proto: udp
state:
- NEW
destination: fe80::/64
998 log all:
proto: all
jump: LOG
limit: 20/min
limit_burst: 15
999 drop all:
proto: all
action: drop
Role Variables: main.yml¶
# All variables within this role should have a prefix of "tripleo_firewall"
# Converts the expected state options to functional states when
# interacting with ports.
tripleo_firewall_port_states:
enabled: present
present: present
absent: absent
disabled: absent
Role Variables: redhat.yml¶
# While options found within the vars/ path can be overridden using extra
# vars, items within this path are considered part of the role and not
# intended to be modified.
tripleo_firewall_packages:
- iptables-services
Molecule Scenarios¶
Molecule is being used to test the “tripleo_firewall” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.
Scenario: firewall-remove-complex¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example firewall-remove-complex playbook¶
- name: Converge
hosts: all
roles:
- role: tripleo_firewall
tripleo_firewall_rules:
003 accept ftp from all:
proto: tcp
dport: '21'
extras:
ensure: absent
003 accept custom from all:
proto: udp
dport:
- '2121'
- 2122
- 2123
- 2200-2210
extras:
ensure: absent
chain: OUTPUT
003 accept custom tcp from all:
proto: tcp
dport:
- 12121
- 12122
- 12123
- 12200-12210
extras:
ensure: absent
chain: test-chain
004 gre networks:
proto: gre
extras:
ensure: absent
005 vrrp networks:
proto: vrrp
extras:
ensure: absent
006 neutron-test:
dport: 2211
extras:
ensure: absent
006 ironic-inspector:
dport: 2212
extras:
ensure: absent
124 snmp:
dport: 2212
source: 192.168.24.1/24
extras:
ensure: absent
125 snmp:
dport: 2212
destination: '::'
extras:
ensure: absent
Scenario: default¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example default playbook¶
- name: Converge
hosts: all
roles:
- role: tripleo_firewall
Scenario: firewall-masquerade¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example firewall-masquerade playbook¶
- name: Converge
hosts: all
vars:
tripleo_masquerade_networks:
10.10.0.0/24:
- 10.10.0.0/24
- 10.10.1.0/24
roles:
- role: tripleo_firewall
Scenario: firewall-add¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example firewall-add playbook¶
- name: Converge
hosts: all
roles:
- role: tripleo_firewall
tripleo_firewall_rules:
003 accept ftp from all:
proto: tcp
dport: 21
Scenario: firewall-add-complex¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example firewall-add-complex playbook¶
- name: Converge
hosts: all
roles:
- role: tripleo_firewall
tripleo_firewall_rules:
003 accept ftp from all:
proto: tcp
dport: '21'
003 accept custom from all:
proto: udp
dport:
- '2121'
- 2122
- 2123
- 2200-2210
chain: OUTPUT
003 accept custom tcp from all:
proto: tcp
dport:
- 12121
- 12122
- 12123
- 12200-12210
chain: test-chain
004 gre networks:
proto: gre
005 vrrp networks:
proto: vrrp
006 neutron-test:
dport: 2211
006 ironic-inspector:
dport: 2212
124 snmp:
dport: 2212
source: 192.168.24.1/24
chain: test-chain2
125 snmp:
dport: 2212
destination: '::'
chain: test-chain2