Commit 1f595818 authored by Simon Bärlocher's avatar Simon Bärlocher
Browse files

initial release

parents
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
Copyright (c) 2016 Simon Bärlocher
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
\ No newline at end of file
# Ansible Role: Shorewall
## Description
Ansible role which installs and configures shorewall and shorewall6.
## Installation
```
$ ansible-galaxy install sbaerlocher.shorewall
```
## Requirements
## Role Variables
```yaml
shorewall_interfaces:
- { zone: net, interface: eth0, options: "dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0" }
shorewall_policies:
- { source: "$FW", dest: all, policy: ACCEPT }
- { source: net, dest: all, policy: REJECT }
- { source: all, dest: all, policy: REJECT, log_level: info }
shorewall_rules:
- section: NEW
rules:
- { action: "Invalid(DROP)", source: net, dest: "$FW", proto: tcp }
- { action: ACCEPT, source: net, dest: "$FW", proto: tcp, dest_port: ssh }
- { action: ACCEPT, source: net, dest: "$FW", proto: icmp, dest_port: echo-request }
shorewall_zones:
- { zone: fw, type: firewall }
- { zone: net, type: ipv4 }
```
## Dependencies
## Example Playbook
```yml
- hosts: all
roles:
- sbaerlocher.shorewall
```
## Changelog
## Author
* [Simon Bärlocher](https://sbaerlocher.ch)
* Farhad Shahbazi
* Sascha Biberhofer
## License
This project is under the MIT License. See the [LICENSE](https://sbaerlo.ch/licence) file for the full license text.
## Copyright
(c) 2016, Simon Bärlocher
\ No newline at end of file
---
# defaults file for sbaerlocher.shorewall
shorewall_startup: 1
shorewall6_startup: 1
shorewall_verbosity: 1
shorewall6_verbosity: 1
shorewall_log_verbosity: 2
shorewall6_log_verbosity: 2
shorewall_interfaces:
- zone: net
interface: eth0
options: "tcpflags,logmartians,routefilter,sourceroute=0"
shorewall6_interfaces:
- zone: net
interface: eth0
options: "tcpflags,nosmurfs,sourceroute=0"
shorewall_masq: []
shorewall6_masq: []
shorewall_hosts: []
shorewall6_hosts: []
shorewall_params: []
shorewall6_params: []
shorewall_policies:
- source: "$FW"
dest: all
policy: ACCEPT
- source: net
dest: all
policy: REJECT
log_level: info
# the following policy must be last
- source: all
dest: all
policy: REJECT
log_level: info
shorewall6_policies:
- source: "$FW"
dest: all
policy: ACCEPT
- source: net
dest: all
policy: REJECT
- source: all
dest: all
policy: REJECT
log_level: info
shorewall_rules:
- section: ALL
rules: []
- section: ESTABLISHED
rules: []
- section: RELATED
rules: []
- section: INVALID
rules: []
- section: UNTRACKED
rules: []
- section: NEW
rules:
- { action: "Invalid(DROP)", source: net, dest: "$FW", proto: tcp }
- { action: ACCEPT, source: net, dest: "$FW", proto: tcp, dest_port: ssh }
- { action: ACCEPT, source: net, dest: "$FW", proto: icmp, dest_port: echo-request }
shorewall6_rules:
- section: ALL
rules: []
- section: ESTABLISHED
rules: []
- section: RELATED
rules: []
- section: INVALID
rules: []
- section: UNTRACKED
rules: []
- section: NEW
rules:
- { action: "Invalid(DROP)", source: net, dest: "$FW", proto: tcp }
- { action: ACCEPT, source: net, dest: "$FW", proto: tcp, dest_port: ssh }
- { action: ACCEPT, source: net, dest: "$FW", proto: ipv6-icmp, dest_port: echo-request }
shorewall_zones:
- zone: fw
type: firewall
- zone: net
type: ipv4
shorewall6_zones:
- zone: fw
type: firewall
- zone: net
type: ipv6
---
# handlers file for sbaerlocher.shorewall
- name: start shorewall
service: name={{ shorewall_service_name }} state=started
- name: start shorewall6
service: name={{ shorewall6_service_name }} state=started
- name: enabled shorewall
service: name={{ shorewall_service_name }} enabled=yes
- name: enabled shorewall6
service: name={{ shorewall6_service_name }} enabled=yes
- name: restart shorewall
service: name={{ shorewall_service_name }} state=restarted
- name: restart shorewall6
service: name={{ shorewall6_service_name }} state=restarted
\ No newline at end of file
galaxy_info:
author: your name
description: your description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: license (GPLv2, CC-BY, etc)
min_ansible_version: 1.2
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If travis integration is cofigured, only notification for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Below are all platforms currently available. Just uncomment
# the ones that apply to your role. If you don't see your
# platform on this list, let us know and we'll get it added!
#
#platforms:
#- name: OpenBSD
# versions:
# - all
# - 5.6
# - 5.7
# - 5.8
# - 5.9
# - 6.0
#- name: Fedora
# versions:
# - all
# - 16
# - 17
# - 18
# - 19
# - 20
# - 21
# - 22
# - 23
# - 24
#- name: DellOS
# versions:
# - all
# - 10
# - 6
# - 9
#- name: MacOSX
# versions:
# - all
# - 10.10
# - 10.11
# - 10.12
# - 10.7
# - 10.8
# - 10.9
#- name: Junos
# versions:
# - all
# - any
#- name: GenericBSD
# versions:
# - all
# - any
#- name: Void Linux
# versions:
# - all
# - any
#- name: GenericLinux
# versions:
# - all
# - any
#- name: NXOS
# versions:
# - all
# - any
#- name: IOS
# versions:
# - all
# - any
#- name: Amazon
# versions:
# - all
# - 2013.03
# - 2013.09
# - 2016.03
#- name: ArchLinux
# versions:
# - all
# - any
#- name: FreeBSD
# versions:
# - all
# - 10.0
# - 10.1
# - 10.2
# - 10.3
# - 8.0
# - 8.1
# - 8.2
# - 8.3
# - 8.4
# - 9.0
# - 9.1
# - 9.1
# - 9.2
# - 9.3
#- name: Ubuntu
# versions:
# - all
# - lucid
# - maverick
# - natty
# - oneiric
# - precise
# - quantal
# - raring
# - saucy
# - trusty
# - utopic
# - vivid
# - wily
# - xenial
#- name: Debian
# versions:
# - all
# - etch
# - jessie
# - lenny
# - sid
# - squeeze
# - stretch
# - wheezy
#- name: EL
# versions:
# - all
# - 5
# - 6
# - 7
#- name: Windows
# versions:
# - all
# - 2012R2
#- name: SmartOS
# versions:
# - all
# - any
#- name: opensuse
# versions:
# - all
# - 12.1
# - 12.2
# - 12.3
# - 13.1
# - 13.2
#- name: SLES
# versions:
# - all
# - 10SP3
# - 10SP4
# - 11
# - 11SP1
# - 11SP2
# - 11SP3
# - 11SP4
# - 12
# - 12SP1
#- name: GenericUNIX
# versions:
# - all
# - any
#- name: Solaris
# versions:
# - all
# - 10
# - 11.0
# - 11.1
# - 11.2
# - 11.3
#- name: eos
# versions:
# - all
# - Any
galaxy_tags: []
# List tags for your role here, one per line. A tag is
# a keyword that describes and categorizes the role.
# Users find roles by searching for tags. Be sure to
# remove the '[]' above if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of
# alphanumeric characters. Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.
\ No newline at end of file
---
# tasks file for sbaerlocher.shorewall
- name: add OS specific variables
include_vars: "{{ item }}"
with_first_found:
- "vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "vars/{{ ansible_distribution }}.yml"
- "vars/{{ ansible_os_family }}.yml"
- "vars/defaults.yml"
tags:
- configuration
- packages
- name: install shorewall
package:
name: "{{ shorewall_package_name }}"
state: latest
notify:
- enabled shorewall
- start shorewall
tags:
- packages
- name: shorewall configuration files
template:
dest: "/etc/shorewall/{{ item }}"
src: "shorewall/{{ item }}.j2"
owner: root
group: root
mode: 0640
with_items:
- shorewall.conf
- params
- interfaces
- masq
- zones
- policy
- rules
- hosts
notify:
- restart shorewall
tags:
- configuration
- name: generate Shorewall service conf
template:
dest: /etc/default/shorewall
src: default/shorewall.j2
owner: root
group: root
mode: 0640
notify:
- restart shorewall
tags:
- configuration
- block:
- name: install shorewall6
package:
name: "{{ shorewall6_package_name }}"
state: latest
notify:
- enabled shorewall6
- start shorewall6
tags:
- packages
- name: shorewall configuration files
template:
dest: /etc/default/shorewall6
src: default/shorewall6.j2
owner: root
group: root
mode: 0640
notify:
- restart shorewall6
tags:
- configuration
- name: shorewall6 configuration files
template:
dest: "/etc/shorewall6/{{ item }}"
src: "shorewall6/{{ item }}.j2"
owner: root
group: root
mode: 0640
with_items:
- shorewall6.conf
- params
- interfaces
- masq
- zones
- policy
- rules
- hosts
notify:
- restart shorewall6
tags:
- configuration
when: "'scope' in ansible_default_ipv6 and ansible_default_ipv6.scope == 'global'"
\ No newline at end of file
# {{ ansible_managed }}
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup={{ shorewall_startup }}
# If your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall
# to wait until the interface is configured. Otherwise the script will fail
# because it won't be able to detect the IP address.
#
# Example:
# wait_interface="ppp0"
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall/params
# wait_interface=
#
# Global start/restart options
#
OPTIONS=""
#
# Start options
#
STARTOPTIONS=""
#
# Restart options
#
RESTARTOPTIONS=""
#
# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
#
INITLOG=/dev/null
#
# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
# a safe state rather than to open it
#
SAFESTOP=0
# EOF
# {{ ansible_managed }}
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup={{ shorewall6_startup }}
# If your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall
# to wait until the interface is configured. Otherwise the script will fail
# because it won't be able to detect the IP address.
#
# Example:
# wait_interface="ppp0"
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall6/params
# wait_interface=
#
# Global start/restart options
#
OPTIONS=""
#
# Start options
#
STARTOPTIONS=""
#
# Restart options
#
RESTARTOPTIONS=""
#
# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
#
INITLOG=/dev/null
#
# Set this to 1 to cause '/etc/init.d/shorewall6 stop' to place the firewall in
# a safe state rather than to open it
#
SAFESTOP=0
# EOF