Default variable details
Some of debops.ferm
default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
ferm__rules
The ferm__*_rules
variables are YAML lists which define what
firewall rules are configured on a host. The rules are combined together in the
ferm__combined_rules
variable which defines the order of the rule
variables and therefore how they will affect each other.
Each entry in the ferm__*_rules
lists is a YAML dictionary. The entry needs
to have the name
parameter that specifies the rule name, otherwise it will
be skipped.
The result is stored as ferm__parsed_rules
variable. This order
allows modification of the default rules as well as rules defined by other
Ansible roles using Ansible inventory variables.
The rules are stored in the /etc/ferm/rules.d/
directory and
the filename format is:
/etc/ferm/rules.d/<weight>_rule_<name>.conf
The rule "weight" is determined by a given rule type which can be overridden if
needed, see the type
, weight
and weight_class
parameters for more
details.
Each rule defined in a dictionary uses specific parameters. The parameters described here are general ones, mostly usable on the main "level" and are related to management of rule files. The parameters related to specific ferm rules are described in Firewall Rule Definitions documentation.
name
Name of the firewall rule to configure. An example rule definition:
ferm__rules: - name: 'accept_all_connections' type: 'accept' accept_any: True
rules
Either a string or a YAML text block that contains raw ferm configuration options, or a list of YAML dictionaries which specify firewall rules. If this parameter is not specified, role will try and generate rules automatically based on other parameters specified on the "first level" of a given rule definition. Most of the other parameters can be specified on the "second level" rules and will apply to a given rule in the list.
Example custom rule definition that restarts nginx after firewall is modified:
ferm__rules: - name: 'restart_nginx': type: 'post-hook' rules: '@hook post "type nginx > /dev/null && systemctl restart nginx || true";'
Example list of rule definitions which will open access to different service ports; rules will be present in the same file:
ferm__rules: - name: 'allow_http_https' rules: - dport: 'http' accept_any: True - dport: 'https' accept_any: True
rule_state
Optional. Specify the state of the firewall rule file, or one of the rules included in that file. Supported states:
present
: default. The rule file will be created if it doesn't exist, a rule will be present in the file.absent
: The rule file will be removed, a rule in the file will not be generated.ignore
: the role will not change the current state of the configuration file. This value does not have an effect on the rules inside the file.
comment
Optional. Add a comment in the rule configuration file, either as a string or as a YAML text block.
template
Optional. Name of the template to use to generate the firewall rule file. Currently only one template is available,
rule
so this option is not useful yet.type
Optional. Specify the rule type as a name, for example
accept
orreject
. Different rule types can use different rule parameters, the rule type also affects the "weight" used to order the configuration files. Weight of the different rules is specified in theferm__default_weight_map
variable and can be overridden using theferm__weight_map
variable.List of known rule types can be found in the Firewall Rule Definitions documentation.
weight_class
Optional. Override the rule type with another type, to change the sort order of the configuration files. This parameter does not affect the ferm configuration template, only the resulting filename.
weight
Optional. Additional positive or negative number (for example
2
or-2
) which will be added to the rule weight affecting the file sorting order.
ferm_input_list
This is a set of legacy debops.ferm
variables, kept to allow older roles to
be usable with new variables. You should use the ferm__*_rules
variables
instead in new configuration, the legacy variables will be removed at some
point.
List of ferm INPUT rules that should be present or absent in the firewall rule
set. The same format is also used for ferm_input_group_list
,
ferm_input_host_list
and ferm_input_dependent_list
. Each rule is
defined as a YAML dict with the following keys:
type
Name of template file to use, required. Format:
<type>.conf.j2
dport
List of destination ports to manage, required.
name
Optional. Custom name used in the generated rule filename
weight
Optional. Helps with file sorting in rule directory
filename
Optional. Custom filename instead of a generated one
rule_state
Optional. State of the rule. Defaults to
present
. Possible values:present
orabsent
Depending on the chosen type, many additional variables are supported. Please
check the template files located in the templates/etc/ferm/ferm.d
directory.