Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
---
- name: packages
apt:
force_apt_get: true
install_recommends: false
name: "{{ ferm_packages }}"
- name: configuration
notify: restart ferm
template:
src: ferm.conf.j2
dest: /etc/ferm/ferm.conf
backup: true
- name: global
when: ferm_global_settings | d(false)
notify: restart ferm
copy:
dest: /etc/ferm/ferm.d/{{ ferm_rules_filename }}.conf
content: "{{ ferm_global_settings }}"
- name: directories
loop:
- /etc/ferm/input.d
- /etc/ferm/output.d
- /etc/ferm/forward.d
file:
path: "{{ item }}"
state: directory
- name: input
when: ferm_input_rules | length > 0
notify: restart ferm
copy:
dest: /etc/ferm/input.d/{{ ferm_rules_filename }}.conf
content: |
{% for rule in ferm_input_rules %}
{% if rule.mod is defined and rule.mod %}mod {{ rule.mod }} {% endif %}
{% if rule.helper is defined and rule.helper %}helper {{ rule.helper }} {% endif %}
{% if rule.saddr is defined and rule.saddr %}saddr @ipfilter(({{ rule.saddr | join(' ') }})) {% endif %}
{% if rule.daddr is defined and rule.daddr %}daddr @ipfilter(({{ rule.daddr | join(' ') }})) {% endif %}
{% if rule.proto is defined and rule.proto %}proto ({{ rule.proto | join(' ') }}) {% endif %}
{% if rule.dport is defined and rule.dport %}dport ({{ rule.dport | join(' ') }}) {% endif %}
{% if rule.sport is defined and rule.sport %}sport ({{ rule.sport | join(' ') }}) {% endif %}
{% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
{% endfor %}
- name: output
when: ferm_output_rules | length > 0
notify: restart ferm
copy:
dest: /etc/ferm/output.d/{{ ferm_rules_filename }}.conf
content: |
{% for rule in ferm_output_rules %}
{% if rule.mod is defined and rule.mod %}mod {{ rule.mod }} {% endif %}
{% if rule.helper is defined and rule.helper %}helper {{ rule.helper }} {% endif %}
{% if rule.saddr is defined and rule.saddr %}saddr @ipfilter(({{ rule.saddr | join(' ') }})) {% endif %}
{% if rule.daddr is defined and rule.daddr %}daddr @ipfilter(({{ rule.daddr | join(' ') }})) {% endif %}
{% if rule.proto is defined and rule.proto %}proto ({{ rule.proto | join(' ') }}) {% endif %}
{% if rule.dport is defined and rule.dport %}dport ({{ rule.dport | join(' ') }}) {% endif %}
{% if rule.sport is defined and rule.sport %}sport ({{ rule.sport | join(' ') }}) {% endif %}
{% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
{% endfor %}
- name: forward
when: ferm_forward_rules | length > 0
notify: restart ferm
copy:
dest: /etc/ferm/forward.d/{{ ferm_rules_filename }}.conf
content: |
{% for rule in ferm_forward_rules %}
{% if rule.mod is defined and rule.mod %}mod {{ rule.mod }} {% endif %}
{% if rule.helper is defined and rule.helper %}helper {{ rule.helper }} {% endif %}
{% if rule.saddr is defined and rule.saddr %}saddr @ipfilter(({{ rule.saddr | join(' ') }})) {% endif %}
{% if rule.daddr is defined and rule.daddr %}daddr @ipfilter(({{ rule.daddr | join(' ') }})) {% endif %}
{% if rule.proto is defined and rule.proto %}proto ({{ rule.proto | join(' ') }}) {% endif %}
{% if rule.dport is defined and rule.dport %}dport ({{ rule.dport | join(' ') }}) {% endif %}
{% if rule.sport is defined and rule.sport %}sport ({{ rule.sport | join(' ') }}) {% endif %}
{% if rule.policy is defined and rule.policy %}{{ rule.policy | upper }}{% else %}ACCEPT{% endif %};
{% endfor %}
- name: service
systemd:
name: ferm
enabled: true
state: started
...