Role - tripleo-firewall

Role Documentation

Welcome to the “tripleo-firewall” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “tripleo-firewall” role.

tripleo_firewall_default_rules:
  000 accept related established rules:
    proto: all
    state:
    - RELATED
    - ESTABLISHED
  001 accept all icmp:
    ipversion: ipv4
    proto: icmp
  001 accept all ipv6-icmp:
    ipversion: ipv6
    proto: ipv6-icmp
  002 accept all to lo interface:
    interface: lo
    proto: all
  004 accept ipv6 dhcpv6:
    destination: fe80::/64
    dport: 546
    ipversion: ipv6
    proto: udp
    state:
    - NEW
  998 log all:
    jump: LOG
    limit: 20/min
    limit_burst: 15
    proto: all
  999 drop all:
    action: drop
    proto: all
tripleo_firewall_rules: {}

Role Variables: main.yml

tripleo_firewall_port_states:
  absent: absent
  disabled: absent
  enabled: present
  present: present

Role Variables: redhat.yml

tripleo_firewall_packages:
- iptables-services

Molecule Scenarios

Molecule is being used to test the “tripleo-firewall” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: firewall-remove-complex

Driver: delegated
Molecule Options
ansible_connection_options:
  ansible_connection: ssh
login_cmd_template: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
  -o Compression=no -o TCPKeepAlive=yes -o VerifyHostKeyDNS=no -o ForwardX11=no -o
  ForwardAgent=no {instance}
managed: false
Molecule Inventory
hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost
Example firewall-remove-complex playbook
- hosts: all
  name: Converge
  roles:
  - role: tripleo-firewall
    tripleo_firewall_rules:
      003 accept custom from all:
        chain: OUTPUT
        dport:
        - '2121'
        - 2122
        - 2123
        - 2200-2210
        extras:
          ensure: absent
        proto: udp
      003 accept custom tcp from all:
        chain: test-chain
        dport:
        - 12121
        - 12122
        - 12123
        - 12200-12210
        extras:
          ensure: absent
        proto: tcp
      003 accept ftp from all:
        dport: '21'
        extras:
          ensure: absent
        proto: tcp
      004 gre networks:
        extras:
          ensure: absent
        proto: gre
      005 vrrp networks:
        extras:
          ensure: absent
        proto: vrrp
      006 ironic-inspector:
        dport: 2212
        extras:
          ensure: absent
      006 neutron-test:
        dport: 2211
        extras:
          ensure: absent

Scenario: firewall-remove

Driver: delegated
Molecule Options
ansible_connection_options:
  ansible_connection: ssh
login_cmd_template: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
  -o Compression=no -o TCPKeepAlive=yes -o VerifyHostKeyDNS=no -o ForwardX11=no -o
  ForwardAgent=no {instance}
managed: false
Molecule Inventory
hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost
Example firewall-remove playbook
- hosts: all
  name: Converge
  roles:
  - role: tripleo-firewall
    tripleo_firewall_rules:
      003 accept ftp from all:
        dport: 21
        extras:
          ensure: absent
        proto: tcp

Scenario: firewall-add-complex

Driver: delegated
Molecule Options
ansible_connection_options:
  ansible_connection: ssh
login_cmd_template: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
  -o Compression=no -o TCPKeepAlive=yes -o VerifyHostKeyDNS=no -o ForwardX11=no -o
  ForwardAgent=no {instance}
managed: false
Molecule Inventory
hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost
Example firewall-add-complex playbook
- hosts: all
  name: Converge
  roles:
  - role: tripleo-firewall
    tripleo_firewall_rules:
      003 accept custom from all:
        chain: OUTPUT
        dport:
        - '2121'
        - 2122
        - 2123
        - 2200-2210
        proto: udp
      003 accept custom tcp from all:
        chain: test-chain
        dport:
        - 12121
        - 12122
        - 12123
        - 12200-12210
        proto: tcp
      003 accept ftp from all:
        dport: '21'
        proto: tcp
      004 gre networks:
        proto: gre
      005 vrrp networks:
        proto: vrrp
      006 ironic-inspector:
        dport: 2212
      006 neutron-test:
        dport: 2211

Scenario: default

Driver: delegated
Molecule Options
ansible_connection_options:
  ansible_connection: ssh
login_cmd_template: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
  -o Compression=no -o TCPKeepAlive=yes -o VerifyHostKeyDNS=no -o ForwardX11=no -o
  ForwardAgent=no {instance}
managed: false
Molecule Inventory
hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost
Example default playbook
- hosts: all
  name: Converge
  roles:
  - role: tripleo-firewall

Scenario: firewall-add

Driver: delegated
Molecule Options
ansible_connection_options:
  ansible_connection: ssh
login_cmd_template: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
  -o Compression=no -o TCPKeepAlive=yes -o VerifyHostKeyDNS=no -o ForwardX11=no -o
  ForwardAgent=no {instance}
managed: false
Molecule Inventory
hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost
Example firewall-add playbook
- hosts: all
  name: Converge
  roles:
  - role: tripleo-firewall
    tripleo_firewall_rules:
      003 accept ftp from all:
        dport: 21
        proto: tcp