Unverified Commit 6b156284 authored by Mike Green's avatar Mike Green
Browse files

Updated README and meta

parent 89142487
......@@ -4,7 +4,7 @@
## Description
Ansible role which installs and configures shorewall and shorewall6.
Ansible role which installs and configures [Shorewall](http://shorewall.org/) and Shorewall6.
## Installation
......@@ -14,31 +14,118 @@ $ ansible-galaxy install Myatu.shorewall
## Requirements
Ansible version 2.0 or better.
## Role Variables
*Note:* The Shorewall (IPv4) variables are prefixed by `shorewall_`, whereas the Shorewall6 (IPv6) variables are prefixed by `shorewall6_`.
Variable | Dictionary / Options
--- | ---
shorewall_package_state | "present", "latest", "absent".
shorewall_startup | "1" or "0"
shorewall_conf | *this variable uses standard option / value pairs*
shorewall_interfaces | `zone`, `interface`, `options`
shorewall_zones | `zone`, `type`, `options`, `options_in`, `options_out`
shorewall_policies | `source`, `dest`, `policy`, `log_level`, `burst_limit`, `conn_limit`
shorewall_rules | **sections**: `section`, **rules**: `rule`. For each **rule**: `action`, `source`, `dest`, `proto`, `dest_port`, `source_port`, `original_dest`, `rate_limit`, `user_group`, `mark`, `connlimit`, `time`, `headers`, `switch`, `helper`
shorewall_masq | `interface`, `source`, `address`, `proto`, `ports`, `ipsec`, `mark`, `user`, `switch`, `original_dest`
shorewall_hosts | `zone`, `hosts`, `options`
shorewall_params | `name`, `value`
### shorewall_package_state - Shorewall package state
See the Ansible [package module](http://docs.ansible.com/ansible/package_module.html) information for more details.
It allows you to control whether Shorewall and dependencies should be either installed (*"present"*), installed / upgraded to their most recent version (*"latest"*) or should be removed (*"absent"*).
### shorewall_startup - Shorewall startup behaviour
This updates the `/etc/default/shorewall` file's `startup` option to either enable (*"1"*) startup (using the `service` or `systemctl` commands) or disable it (*"0"*).
### shorewall_conf - Shorewall Configuration
Specify values for global Shorewall options in the `/etc/shorewall/shorewall.conf` file. See the Shorewall [shorewall.conf man page](http://shorewall.org/manpages/shorewall.conf.html) for more details.
Each shorewall.conf option may be written in lower-case, such as `ACCEPT_DEFAULT=none
` can be written as `accept_default: "none"` in the variables.
#### Example
```yaml
shorewall_conf:
verbosity: "1"
log_verbosity: "2"
logfile: "/var/log/messages"
blacklist: "\"NEW,INVALID,UNTRACKED\""
blacklist_disposition: "DROP"
```
### shorewall_interfaces - Interfaces
Define the interfaces on the system and optionally associate them with zones in the `/etc/shorewall/interfaces` file. See the Shorewall [interfaces man page](http://www.shorewall.net/manpages/shorewall-interfaces.html) for more details.
#### Example
```yaml
shorewall_interfaces:
- { zone: net, interface: eth0, options: "dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0" }
```
### shorewall_zones - Zones
Declare Shorewall zones in the `/etc/shorewall/zones` file. See the Shorewall [zones man page](http://www.shorewall.net/manpages/shorewall-zones.html) for more details.
#### Example
```yaml
shorewall_zones:
- { zone: fw, type: firewall }
- { zone: net, type: ipv4 }
```
### shorewall_policies - Policies
Define high-level policies for connections between zones in the `/etc/shorewall/policies`. See the Shorewall [policy man page](http://www.shorewall.net/manpages/shorewall-policy.html) for more details.
#### Example
```yaml
shorewall_policies:
- { source: "$FW", dest: all, policy: ACCEPT }
- { source: net, dest: all, policy: REJECT }
- { source: all, dest: all, policy: REJECT, log_level: info }
```
### shorewall_rules - Rules
Specify exceptions to policies, including DNAT and REDIRECT in the `/etc/shorewall/rules` file. See the Shorewall [rules man page](http://www.shorewall.net/manpages/shorewall-rules.html) for more details.
***WARNING***: Please be sure to include a rule for SSH on the correct port, to avoid locking Ansible - and yourself - out from the remote host.
#### Example
```yaml
shorewall_rules:
- section: NEW
rules:
- { action: "Invalid(DROP)", source: net, dest: "$FW", proto: tcp }
- { action: ACCEPT, source: net, dest: "$FW", proto: tcp, dest_port: ssh }
- { action: ACCEPT, source: net, dest: "$FW", proto: icmp, dest_port: echo-request }
shorewall_zones:
- { zone: fw, type: firewall }
- { zone: net, type: ipv4 }
```
## Dependencies
### shorewall_masq - Masquerade/SNAT
Define Masquerade/SNAT in the `/etc/shorewall/masq` file. See the Shorewall [masq man page](http://shorewall.org/manpages/shorewall-masq.html) for more details.
### shorewall_hosts - Hosts
Define multiple zones accessed through a single interface in the `/etc/shorewall/hosts` file. See the Shorewall [hosts man page](http://shorewall.org/manpages/shorewall-hosts.html) for more details.
### shorewall_params - Parameters
Assign any shell variables that you need in the `/etc/shorewall/params` file. See the Shorewall [params man page](http://shorewall.org/manpages/shorewall-params.html) for more details.
## Example Playbook
```yml
......@@ -49,6 +136,17 @@ shorewall_zones:
## Changelog
### v1.0
- Added: `ipset` as a package dependency;
- Added: role variable `shorewall_conf`, allowing each option in the shorewall.conf file to be defined;
- Added: role variable `shorewall_package_state` to set package state of Shorewall and dependencies;
- *Changed:* The default for `shorewall_interface` now detects the default network interface rather than fixed at `eth0` (though `eth0` is still a fall-back default);
- **Removed:** role variables: `shorewall_verbosity`, `shorewall_log_verbosity`. Use the `shorewall_conf` role variable to configure these instead.
## Author
* [Michael Green](http://myatus.com)
......@@ -62,5 +160,6 @@ This project is under the MIT License. See the LICENSE file for the full license
## Copyright
Copyright (c) 2017 Michael Green
Copyright (c) 2016 Simon Bärlocher
\ No newline at end of file
- Copyright (c) 2017 Michael Green
- Copyright (c) 2016 Simon Bärlocher
galaxy_info:
author: Michael Green <myatus@gmail.com>
description: Ansible role which installs and configures shorewall and shorewall6.
description: Ansible role which installs and configures Shorewall and Shorewall6.
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
......@@ -15,7 +15,7 @@ galaxy_info:
# - CC-BY
license: MIT
min_ansible_version: 1.2
min_ansible_version: 2.0
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
......@@ -117,8 +117,8 @@ galaxy_info:
# - 9.1
# - 9.2
# - 9.3
#- name: Ubuntu
# versions:
- name: Ubuntu
versions:
# - all
# - lucid
# - maverick
......@@ -131,24 +131,24 @@ galaxy_info:
# - trusty
# - utopic
# - vivid
# - wily
# - xenial
- wily
- xenial
- name: Debian
versions:
- all
# - all
# - etch
# - jessie
- jessie
# - lenny
# - sid
# - squeeze
# - stretch
# - wheezy
- wheezy
- name: EL
versions:
- all
# - all
# - 5
# - 6
# - 7
- 6
- 7
#- name: Windows
# versions:
# - all
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment