Open zerr0s opened 3 years ago
This role has an option "firewall_flush_rules_and_chains:" But I found a bug where the rules are flushed anyway https://github.com/geerlingguy/ansible-role-firewall/issues/80
Therefore, I made a correction, and added options firewall_flush_rules_input: firewall_flush_rules_output: firewall_flush_rules_forward: And excluded "iptables -F" from the service start template
To use Docker you need to add firewall_flush_rules_forward: false since docker adds its rules to the forward chain
you can use this role with my fixes https://github.com/alexeychusta/ansible-firewall
Hello. Thanks, i'll try it asap.
I will likely be revamping this role a little bit to allow something similar, as this has bitten me in the past as well with Docker and this role side-by-side.
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read this blog post to see the reasons why I mark issues as stale.
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
This issue is no longer marked for closure.
This issue is no longer marked for closure.
Hey @geerlingguy
since mikegleasonjr/ansible-role-firewall is no longer maintained I will use your role and my first thing I was looking for was the same behaviour with docker since mikegleasonjr/ansible-role-firewall was also flushing existing rules.
So what's the current state? Is there something we can do to make this feature available asap?
Btw. maybe it helps someone: I restart docker/fail2ban services right after updating the iptable rules so the chains will be recreated from those daemons.
- hosts: all
become: yes
become_user: root
pre_tasks:
- include: tasks/pre/load_vars.yml
roles:
- role: community/firewall
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Restart docker to revert iptables chains
ansible.builtin.service:
name: docker
state: restarted
when: ansible_facts.services["docker.service"] is defined
- name: Restart fail2ban to revert iptables chains
ansible.builtin.service:
name: fail2ban
state: restarted
when: ansible_facts.services["fail2ban.service"] is defined
PR (for compatibility with docker): https://github.com/geerlingguy/ansible-role-firewall/pull/106
thanks @renepardon for the hint.
I did the following to restart docker and fail2ban when firewall is restarted:
restart firewall
:
---
playbook:
roles:
- role: geerlingguy.firewall
post_tasks:
- meta: flush_handlers
- name: Populate service facts
ansible.builtin.service_facts:
- name: Restart docker to revert iptables chains
ansible.builtin.service:
name: docker
state: restarted
when: ansible_facts.services["docker.service"] is defined and reg_firewall_restarted is defined
- name: Restart fail2ban to revert iptables chains
ansible.builtin.service:
name: fail2ban
state: restarted
when: ansible_facts.services["fail2ban.service"] is defined and reg_firewall_restarted is defined
I want to avoid making change to the handler, but don't know a better way
Hello, forgive me for my bad english.
First, special thanks for your ansible roles. I use them everyday in my pipelines for all servers (dev, prod, etc.). I'm trying this role to manage iptables rules over a ci/cd pipeline. On each run, all rules are removed on all servers and new rules are applied.
My servers have docker installed and all iptables rules added by docker are flushed and docker needs to be restarted.
Is there a way to apply new rules dynamically ?
Thanks.