From 7c90cacef0f5cf61fb8ac3adb905507dd4247d84 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Tue, 3 Mar 2015 13:06:49 -0500 Subject: refactor firewall management into new role - Add os_firewall role - Remove firewall settings from base_os, add wait task to os_firewall - Added a iptables firewall module for maintaining the following (in a mostly naive manner): - ensure the OPENSHIFT_ALLOW chain is defined - ensure that there is a jump rule in the INPUT chain for OPENSHIFT_ALLOW - adds or removes entries from the OPENSHIFT_ALLOW chain - issues '/usr/libexec/iptables/iptables.init save' when rules are changed - Limitations of iptables firewall module - only allows setting of ports/protocols to open - no testing on ipv6 support - made os_firewall a dependency of openshift_common - Hardcoded openshift_common to use iptables (through the vars directory) until upstream support is in place for firewalld --- roles/os_firewall/README.md | 66 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 roles/os_firewall/README.md (limited to 'roles/os_firewall/README.md') diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md new file mode 100644 index 000000000..fe6318184 --- /dev/null +++ b/roles/os_firewall/README.md @@ -0,0 +1,66 @@ +OS Firewall +=========== + +OS Firewall manages firewalld and iptables firewall settings for a minimal use +case (Adding/Removing rules based on protocol and port number). + +Requirements +------------ + +None. + +Role Variables +-------------- + +| Name | Default | | +|---------------------------|---------|----------------------------------------| +| os_firewall_use_firewalld | True | If false, use iptables | +| os_firewall_allow | [] | List of service,port mappings to allow | +| os_firewall_deny | [] | List of service, port mappings to deny | + +Dependencies +------------ + +None. + +Example Playbook +---------------- + +Use iptables and open tcp ports 80 and 443: +``` +--- +- hosts: servers + vars: + os_firewall_use_firewalld: false + os_firewall_allow: + - service: httpd + port: 80/tcp + - service: https + port: 443/tcp + roles: + - os_firewall +``` + +Use firewalld and open tcp port 443 and close previously open tcp port 80: +``` +--- +- hosts: servers + vars: + os_firewall_allow: + - service: https + port: 443/tcp + os_firewall_deny: + - service: httpd + port: 80/tcp + roles: + - os_firewall +``` + +License +------- + +ASL 2.0 + +Author Information +------------------ +Jason DeTiberus - jdetiber@redhat.com -- cgit v1.2.1