Ansible role to install and configure ferm firewall.
Building and improving this Ansible role have been sponsored by my current and previous employers like Cloudpunks GmbH and Proact Deutschland GmbH.
- Minimum Ansible version:
2.10
Default policy for forward chain
ferm_default_forward_policy: DROPDefault policy for input chain
ferm_default_input_policy: DROPDefault policy for output chain
ferm_default_output_policy: ACCEPTDefault weight for rule files
ferm_default_weight: 50Generally enable or disable ferm
ferm_enabled: trueList of extra hook scripts
ferm_extra_hooks: []List of general directories for chains
ferm_general_dirs:
- /etc/ferm/before.d
- /etc/ferm/ferm.d
- /etc/ferm/input.d
- /etc/ferm/output.d
- /etc/ferm/forward.d
- /etc/ferm/pre.d
- /etc/ferm/post.d
- /etc/ferm/flush.dList of general hook scripts
ferm_general_hooks: []List of general rule definitions
ferm_general_rules:
- name: ssh
weight: 20
type: input
content: |
proto tcp dport ssh ACCEPT;List of group directories for chains
ferm_group_dirs: []List of group rule definitions
ferm_group_rules: []List of host directories for chains
ferm_host_dirs: []List of host rule definitions
ferm_host_rules: []Raw rules applied with ferm
ferm_raw_rules: |
@include before.d/;
domain (ip ip6) {
table filter {
chain INPUT {
policy {{ ferm_default_input_policy }};
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
interface lo ACCEPT;
proto icmp ACCEPT;
@include input.d/;
}
chain FORWARD {
policy {{ ferm_default_forward_policy }};
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
@include forward.d/;
}
chain OUTPUT {
policy {{ ferm_default_output_policy }};
@include output.d/;
}
}
}
@include ferm.d/;ferm
- None
Apache-2.0