So, to resurrect an old topic... And remind myself why I like having a hardware firewall covering my behind...
I've about figured out how to use the UFW module correctly. Which makes me happy. Unfortunately, I have to administer SLES and CentOS vm's as well. I was going to use the firewalld module, but then I couldn't find a firewalld package in the repos to install... That leaves me kind of hanging... CentOS has /etc/sysconfig/iptables if I knew iptables. Not sure if SLES has a decent command line interface I could use... It does use a GUI tool, and force me to install a GUI on the server, so I might just run them manually... Anyway, apologies for the rambling, it's the end of the day for me. Here are my questions: Has anyone looked at creating an iptables module that would just work on all OS's that have Python and iptables? Maybe make the most common stuff easy, and then have a way for people to input a full iptables command? So, for people running simple stuff, like me, could make a task like iptables: ports="22,2222" proto="tcp,udp" allowed_from="10.0.0.0/8" allowed_to="everywhere" More complicated stuff could be: iptables: command="stuff that is currently gibberish to me" Micheal, you mentioned a config file, which one were you talking about? Is there a way to install firewalld that my google-fu missed? Or even ufw? Is there a really good introduction to iptables that you would recommend? Since the obvious route to solve my problem is to suck it up and learn iptables... Thanks! --David Reagan On Tue, Oct 8, 2013 at 8:09 AM, Michael DeHaan <[email protected]> wrote: > Generally speaking, I like to do the following with iptables > > {% if 'webservers' in group_names %} > section of iptables config for webservers > {% endif %} > > And just template the config file, and set up a notify to reload iptables > when it changes. > > I should also point out there is a firewalld module in the devel branch > now too. > > > On Tue, Oct 8, 2013 at 9:15 AM, Guillaume Subiron <[email protected]> > wrote: > >> I also think shorewall is a good way to deploy firewall configuration >> using ansible. >> >> I tried to use iptables-persitent, but shorewall allows to split the >> rules in many files. Using run-parts in /etc/shorewall/rules, you can >> put any file in rules.d/. >> >> So in my "common" playbook, I only deploy common rules (close >> everything by default, allow ping and ssh). Then, each roles can add >> some rules. The "webserver" role, for instance, adds a rule file to >> open HTTP and HTTP ports. >> >> You just have to pay attention to the order in which the files will be >> executed. >> >> Le 13/10/08 14:43, Kahlil Hodgson claviotta : >> > I'm using shorewall for all my VMs. It's kinda overkill for a single >> > nic, but I find it works quite well with ansible. >> > The configuration for VMs with a single nic is very basic. >> > >> > The files >> > >> > shorewall.conf (1 one setting changed from default) >> > policy (3 lines) >> > zones (2 lines) >> > interfaces (1 line) >> > >> > are somewhat trivial and identical across all VMs. >> > >> > The >> > >> > rules (3 - 10 lines) >> > >> > file is where the ingress and egress filtering is controlled and is >> > easily templated. >> > >> > I also 'chain' handlers as follows to ensure modifications don't leave >> > iptables in a bad state: >> > >> > tasks: >> > .... >> > >> > notify: check shorewall >> > >> > .... >> > >> > handlers: >> > >> > - name: check shorewall >> > command: /sbin/shorewall check >> > notify: restart shorewall >> > >> > - name: restart shorewall >> > action: service name=shorewall state=restarted >> > >> > I'm happy to provide some initial content to get you started. >> > >> > Cheers, >> > >> > K >> > >> > Kahlil (Kal) Hodgson GPG: C9A02289 >> > Head of Technology (m) +61 (0) 4 2573 0382 >> > DealMax Pty Ltd (w) +61 (0) 3 9008 5281 >> > >> > Suite 1415 >> > 401 Docklands Drive >> > Docklands VIC 3008 Australia >> > >> > "All parts should go together without forcing. You must remember that >> > the parts you are reassembling were disassembled by you. Therefore, >> > if you can't get them together again, there must be a reason. By all >> > means, do not use a hammer." -- IBM maintenance manual, 1925 >> > >> > >> > >> > On Tue, Oct 8, 2013 at 1:49 PM, David Reagan <[email protected]> wrote: >> > > Yes, the firewall also manages internal DMZ's. We are protected quite >> well, >> > > adding the firewall to the VM's on our network is just on extra step >> to be >> > > as secure as possible. >> > > >> > > I do have a few VM's outside the main firewall, on those I'm >> currently using >> > > ufw. >> > > >> > > So the main point of my post was just to get a general idea of how >> others >> > > are managing firewalls with Ansible. >> > > >> > > --David Reagan >> > > >> > > >> > > On Mon, Oct 7, 2013 at 5:38 PM, Luke Tislow <[email protected]> >> wrote: >> > >> >> > >> I'd say whatever your external rules are will cover that, the rest >> of the >> > >> requirements should be on your internal side. >> > >> >> > >> Do you manage your internal networks and adjust firewalls? >> > >> >> > >> -luke >> > >> >> > >> On Oct 7, 2013 7:10 PM, "David Reagan" <[email protected]> wrote: >> > >>> >> > >>> So far I've found a few tools that let me manage linux firewalls. >> > >>> >> > >>> iptables >> > >>> ufw >> > >>> shorewall >> > >>> ferm >> > >>> >> > >>> I'm not skilled with any of them, and ufw is the only one I've >> really >> > >>> used. I know enough to block everything but the ports I actually >> use. I'm a >> > >>> bit fuzzy on firewalls because we have a very good hardware >> firewall in >> > >>> place that I don't manage. Adding firewalls to each VM is me being >> extra >> > >>> careful. >> > >>> >> > >>> Both iptables and ufw appear to operate by running commands on the >> > >>> command line. So I could do that via the command or shell module. >> That means >> > >>> I'd end up running the firewall commands every time I run my Ansible >> > >>> playbooks. And I think I'd end up restarting the firewall every >> time as >> > >>> well. >> > >>> >> > >>> Both of those things don't seem like good things to do. Am I right >> in >> > >>> that? Or would it be perfectly fine to run the commands and restart >> the >> > >>> firewall every time I run Ansible? >> > >>> >> > >>> Shorewall and ferm appear to use config files to set the rules, >> then they >> > >>> run the iptables commands for you from them. At least I think >> that's how >> > >>> they work. That would let me use templates for the config file. I >> like that. >> > >>> But I don't like how complicated the files are. Both projects >> documentation >> > >>> is kind of hard to figure out where to start. >> > >>> >> > >>> I did fine the start of a ufw module >> > >>> ( >> https://groups.google.com/d/topic/ansible-project/I1Vd3oPBfFw/discussion >> ), >> > >>> but it doesn't look like it's going anywhere. >> > >>> >> > >>> What other options are there? What do you do? >> > >>> >> > >>> -- >> > >>> You received this message because you are subscribed to the Google >> Groups >> > >>> "Ansible Project" group. >> > >>> To unsubscribe from this group and stop receiving emails from it, >> send an >> > >>> email to [email protected]. >> > >>> >> > >>> For more options, visit https://groups.google.com/groups/opt_out. >> > >> >> > >> -- >> > >> You received this message because you are subscribed to a topic in >> the >> > >> Google Groups "Ansible Project" group. >> > >> To unsubscribe from this topic, visit >> > >> >> https://groups.google.com/d/topic/ansible-project/rkavS1H6AtA/unsubscribe >> . >> > >> To unsubscribe from this group and all its topics, send an email to >> > >> [email protected]. >> > >> >> > >> For more options, visit https://groups.google.com/groups/opt_out. >> > > >> > > >> > > -- >> > > You received this message because you are subscribed to the Google >> Groups >> > > "Ansible Project" group. >> > > To unsubscribe from this group and stop receiving emails from it, >> send an >> > > email to [email protected]. >> > > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Ansible Project" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> Guillaume Subiron >> Mail - [email protected] >> GPG - C7C4 455C >> Jabber - [email protected] >> IRC - maethor@(freenode|geeknode) >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > > > -- > Michael DeHaan <[email protected]> > CTO, AnsibleWorks, Inc. > http://www.ansibleworks.com/ > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/rkavS1H6AtA/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CANo%2B_AcnGwEadHJG52eW%2BBkwgGhF%2B4B3%2Bxno%3D5GCgKp0j_S1sg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
