Commit 6522c1fb authored by Matthew Smith's avatar Matthew Smith
Browse files

all sol1 changes

parent ef525c17
......@@ -35,11 +35,11 @@ shorewall_conf | *this variable uses standard option / value pairs*
shorewall_interfaces | `zone`, `interface`, `options`
shorewall_zones | `zone`, `type`, `options`, `options_in`, `options_out`
shorewall_policies | `source`, `dest`, `policy`, `log_level`, `burst_limit`, `conn_limit`
shorewall_rules | **sections**: `section`, **rules**: `rule`. For each **rule**: `action`, `source`, `dest`, `proto`, `dest_port`, `source_port`, `original_dest`, `rate_limit`, `user_group`, `mark`, `connlimit`, `time`, `headers`, `switch`, `helper`, `when`
shorewall_rules | **sections**: `section`, **rules**: `rule`. For each **rule**: `comment`, `action`, `source`, `dest`, `proto`, `dest_port`, `source_port`, `original_dest`, `rate_limit`, `user_group`, `mark`, `connlimit`, `time`, `headers`, `switch`, `helper`, `when`
shorewall_masq | `interface`, `source`, `address`, `proto`, `ports`, `ipsec`, `mark`, `user`, `switch`, `original_dest`
shorewall_tunnels | `type`, `zone`, `gateway`, `gateway_zone`
shorewall_hosts | `zone`, `hosts`, `options`
shorewall_params | `name`, `value`
shorewall_params | [ `import` | `name`, `value` ] **imports are processed first then name/value pairs**
### shorewall_package_state - Shorewall package state
......@@ -169,6 +169,13 @@ Define multiple zones accessed through a single interface in the `/etc/shorewall
### shorewall_params - Parameters
Assign any shell variables that you need in the `/etc/shorewall/params` file. See the Shorewall [params man page](http://shorewall.org/manpages/shorewall-params.html) for more details.
#### Example
```yaml
shorewall_params:
- { import: '/path/file' }
- { name: 'server', value: '10.0.0.1' }
```
## Example Playbook
......
---
# Defaults file for Myatu.shorewall
# shorewall_run is a safeguard to prevent default values overwriting good values
# in case host_vars aren't found (ie: somebody renamed the inventory and not the host_vars)
shorewall_run: false
shorewall_default_actions_macros: ""
shorewall_conf: {}
shorewall6_conf: {}
......@@ -23,6 +29,10 @@ shorewall6_interfaces:
shorewall_masq: []
shorewall6_masq: []
shorewall_stoppedrules: []
shorewall6_stoppedrules: []
shorewall_hosts: []
shorewall6_hosts: []
......@@ -72,8 +82,9 @@ shorewall_rules:
- section: NEW
rules:
- { action: "Invalid(DROP)", source: net, dest: "$FW", proto: tcp }
- { comment: "ssh" }
- { action: ACCEPT, source: net, dest: "$FW", proto: tcp, dest_port: "{{ ansible_ssh_port | default('ssh', True) }}" }
- { action: ACCEPT, source: net, dest: "$FW", proto: icmp, dest_port: echo-request }
- { comment: "ping", action: ACCEPT, source: net, dest: "$FW", proto: icmp, dest_port: echo-request }
shorewall6_rules:
- section: ALL
......
---
# tasks file for myatu.shorewall
- name: Debug OS Version
debug:
msg: "distribution: {{ ansible_distribution }}, major_version: {{ ansible_distribution_major_version }}"
- name: Add OS specific variables
include_vars: "{{ item }}"
......@@ -20,6 +23,12 @@
when: (shorewall_package_state != "absent")
- include: shorewall.yml
when: shorewall_run
- include: shorewall6.yml
when: "'scope' in ansible_default_ipv6 and ansible_default_ipv6.scope == 'global'"
when: "'scope' in ansible_default_ipv6 and ansible_default_ipv6.scope == 'global' and shorewall_run"
- name: dead man's switch
debug:
msg: "Skipped configuration because dead man's switch var 'shorewall_run' is not set to true"
when: not shorewall_run
......@@ -25,6 +25,10 @@
set_fact:
shorewall_version: "{{ '.'.join( shorewall_version_result.get('stdout', '0.0').split('.')[:2] ) }}"
- name: debug config
debug:
msg: "{{ shorewall_rules }}"
- name: Generate Shorewall configuration files
template:
dest: "/etc/shorewall/{{ item }}"
......@@ -36,16 +40,52 @@
- shorewall.conf
- params
- interfaces
- masq
- zones
- policy
- rules
- hosts
# - providers
- tunnels
# - actions
- stoppedrules
notify:
- restart shorewall
tags:
- configuration
- name: debug shorewall_version
debug:
var: shorewall_version
- name: Generate Shorewall masq file
template:
dest: "/etc/shorewall/{{ item }}"
src: "shorewall/{{ item }}.j2"
owner: root
group: root
mode: 0640
with_items:
- masq
notify:
- restart shorewall
tags:
- configuration
when: (shorewall_version|float < 5.0)
- name: Generate Shorewall masq file
template:
dest: "/etc/shorewall/{{ item }}"
src: "shorewall/{{ item }}.j2"
owner: root
group: root
mode: 0640
with_items:
- snat
notify:
- restart shorewall
tags:
- configuration
when: (shorewall_version|float >= 5.0)
- name: Verify Shorewall configuration
command: shorewall check
......
# {{ ansible_managed }}
# Shorewall version 4 - Actions File
#
#ZONE INTERFACE OPTIONS
{% for action in shorewall_actions %}
{{ action.name }} {{ action.options | default(" ") }} {{ action.description | default("#nondescript") }}
{% endfor %}
......@@ -11,6 +11,6 @@
###############################################################################
#ZONE INTERFACE OPTIONS
{% for i in shorewall_interfaces %}
{{ i.zone }} {{ i.interface }} {{ i.options | default("-") }}
{% for item in shorewall_interfaces %}
{{ item.zone }} {{ item.interface }} {{ item.options | default("-") }}
{% endfor %}
......@@ -6,5 +6,5 @@
# GROUP DEST
{% for rule in shorewall_masq %}
{{ rule.interface | default('-') }} {{ rule.source | default('-') }} {{ rule.address | default('-') }} {{ rule.proto | default('-') }} {{ rule.ports | default('-') }} {{ rule.ipsec | default('-') }} {{ rule.mark | default('-') }} {{ rule.user | default('-') }} {{ rule.switch | default('-') }} {{ rule.original_dest | default('-') }}
{{ rule.interface | default('') }} {{ rule.source | default('') }} {{ rule.address | default('') }} {{ rule.proto | default('') }} {{ rule.ports | default('') }} {{ rule.ipsec | default('') }} {{ rule.mark | default('') }} {{ rule.user | default('') }} {{ rule.switch | default('') }} {{ rule.original_dest | default('') }}
{% endfor %}
......@@ -26,7 +26,28 @@
###############################################################################
{% for param in shorewall_params %}
{{ param.name }}={{ param.value | join(',') }}
{% if param.import is defined %}
. {{ param.import }}{% endif %}
{% endfor %}
{% for param in shorewall_params %}
{% if param.name is defined %}
{{ param.name }}="{{ param.value }}"
{% endif %}
{% endfor %}
{% if dhcp_hosts is defined %}
# DHCP Params
{% for param in dhcp_hosts %}
{% if param.name is defined %}
{% if param.mac_address is defined %}
{{ param.name | replace('-','_') }}="~{{ param.mac_address }}"
{% elif param.fixed_address is defined %}
{{ param.name | replace('-','_') }}="{{ param.fixed_address }}"
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
#LAST LINE -- DO NOT REMOVE
# {{ ansible_managed }}
#
# Shorewall - Providers File
#
# For information about entries in this file, type "man shorewall-providers"
#
# For additional information, see http://shorewall.net/MultiISP.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
{% for provider in shorewall_providers %}
{{ provider.name }} {{ provider.number }} {{ provider.mark }} {{ provider.duplicate }} {{ provider.interface }} {{ provider.gateway }} {{ provider.options }} {{ provider.copyinterfaces }}
{% endfor %}
......@@ -14,7 +14,11 @@
{{ '' if (shorewall_version|float < 4.6) else '?' }}SECTION {{ section.section }}
{% for rule in section.rules %}
{% if rule.get('when', True) %}
{{ rule.action | default('-') }} {{ rule.source | default('-') }} {{ rule.dest | default('-') }} {{ rule.proto | default('-') }} {{ rule.dest_port | default('-') }} {{ rule.source_port | default('-') }} {{ rule.original_dest | default('-') }} {{ rule.rate_limit | default('-') }} {{ rule.user_group | default('-') }} {{ rule.mark | default('-') }} {{ rule.connlimit | default('-') }} {{ rule.time | default('-') }} {{ rule.headers | default('-') }} {{ rule.switch | default('-') }} {{ rule.helper | default('-') }}
{% if rule.comment is defined %}
# {{ rule.comment }} {% endif %}
{% if rule.action is defined %}
{{ rule.action | default('-') }} {{ rule.source | default('-') }} {{ rule.dest | default('-') }} {{ rule.proto | default('-') }} {{ rule.dest_port | default('-') }} {{ rule.source_port | default('-') }} {{ rule.original_dest | default('-') }} {{ rule.rate_limit | default('-') }} {{ rule.user_group | default('-') }} {{ rule.mark | default('-') }} {{ rule.connlimit | default('-') }} {{ rule.time | default('-') }} {{ rule.headers | default('-') }} {{ rule.switch | default('-') }} {{ rule.helper | default('-') }} {% endif %}
{% endif %}
{% endfor %}
......
......@@ -11,3 +11,12 @@
{% for key,value in shorewall_conf.items() %}
{{ key|upper }}={{ value }}
{% endfor %}
{% if shorewall_default_actions_macros == 'v5_debian10' %}
# For https://github.com/mrlesmithjr/ansible-shorewall/issues/15
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="dropBcasts,dropNotSyn,dropInvalid"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
{% endif %}
# {{ ansible_managed }}
#
# Shorewall - SNAT/Masquerade File
#
# For information about entries in this file, type "man shorewall-snat"
#
# See http://shorewall.net/manpages/shorewall-snat.html for additional information
###################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
{% for rule in shorewall_masq %}
MASQUERADE {{ rule.source | default('-') }} {{ rule.interface | default('-') }} {{ rule.proto | default('-') }} {{ rule.ports | default('-') }} {{ rule.ipsec | default('-') }} {{ rule.mark | default('-') }} {{ rule.user | default('-') }} {{ rule.switch | default('-') }} {{ rule.original_dest | default('-') }}
{% endfor %}
{% if shorewall_snat is defined %}
{% for rule in shorewall_snat %}
SNAT({{ rule.newsource | default('') }}) {{ rule.source | default('-') }} {{ rule.interface | default('-') }} {{ rule.proto | default('-') }} {{ rule.ports | default('-') }} {{ rule.ipsec | default('-') }} {{ rule.mark | default('-') }} {{ rule.user | default('-') }} {{ rule.switch | default('-') }} {{ rule.original_dest | default('-') }}
{% endfor %}
{% endif %}
#
# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
# Copyright (C) 2012 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-stoppedrules"
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
{% for i in shorewall_stoppedrules %}
{{ i.action }} {{ i.source | default("-") }} {{ i.dest | default("-") }} {{ i.proto | default('') }} {{ i.destports | default('')}} {{ i.sourceports | default('') }}
{% endfor %}
......@@ -29,4 +29,17 @@
{{ param.name }}={{ param.value | join(',') }}
{% endfor %}
{% if dhcp_hosts is defined %}
# DHCP Params
{% for param in dhcp_hosts %}
{% if param.name is defined %}
{% if param.mac_address is defined %}
{{ param.name }}="~{{ param.mac_address }}"~
{% elif param.fixed_address is defined %}
{{ param.name }}="{{ param.fixed_address }}"~
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
#LAST LINE -- DO NOT REMOVE
......@@ -12,3 +12,13 @@
{% for key,value in shorewall6_conf.items() %}
{{ key|upper }}={{ value }}
{% endfor %}
{% if shorewall_default_actions_macros == 'v5_debian10' %}
# For https://github.com/mrlesmithjr/ansible-shorewall/issues/15
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="dropBcasts,dropNotSyn,dropInvalid"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
{% endif %}
---
# Debian vars file for Myatu.shorewall
shorewall_incompatible_packages:
- "iptables-service"
shorewall_packages:
- "shorewall"
- "ipset"
shorewall6_packages:
- "shorewall6"
shorewall_service_name: "shorewall"
shorewall6_service_name: "shorewall6"
shorewall_default_actions_macros: "v5_debian10"
shorewall_default_actions_macros: "v4_ubuntu16"
shorewall_service_name: "shorewall"
shorewall_packages:
- "shorewall"
shorewall_packages:
- "shorewall"
shorewall6_packages:
- "shorewall6"
shorewall_service_name: "shorewall"
shorewall6_service_name: "shorewall6"
......@@ -82,7 +82,7 @@ shorewall_conf_base:
autohelpers: "Yes"
automake: "No"
blacklist: "\"NEW,INVALID,UNTRACKED\""
chain_scripts: "Yes"
#chain_scripts: "Yes"
clampmss: "No"
clear_tc: "Yes"
complete: "No"
......@@ -100,15 +100,15 @@ shorewall_conf_base:
implicit_continue: "No"
inline_matches: "Yes"
ipset_warnings: "Yes"
ip_forwarding: "Keep"
ip_forwarding: "On"
keep_rt_tables: "No"
load_helpers_only: "Yes"
maclist_table: "filter"
maclist_ttl: ""
mangle_enabled: "Yes"
mapoldactions: "No"
#mapoldactions: "No"
mark_in_forward_chain: "No"
module_suffix: "ko"
#module_suffix: "ko"
multicast: "No"
mutex_timeout: "60"
null_route_rfc1918: "No"
......@@ -248,7 +248,7 @@ shorewall6_conf_base:
forward_clear_mark: "Yes"
helpers: ""
implicit_continue: "No"
inline_matches: "Yes"
#inline_matches: "Yes"
ipset_warnings: "Yes"
ip_forwarding: "Keep"
keep_rt_tables: "Yes"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment