Closed Encephala closed 11 months ago
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read this blog post to see the reasons why I mark issues as stale.
bump
This issue is no longer marked for closure.
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read this blog post to see the reasons why I mark issues as stale.
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
Hello from the Netherlands! Firstly, thanks a lot for your Ansible 101 series! I really enjoyed it and it's made me much more confident messing around in my homelab.
I wanted to use the role to lock down a VM so that it can only access the internet, not any local device. I ran into two problems: first, it is not possible to configure outgoing firewall rules (as the README mentions). Second, I wanted the default policy for outgoing rules to be DROP, but the default policy was hardcoded (note also issue #93).
The latter is rather easy to implement. The prior has no one right way to do it though in a backwards compatible way. Here are some issues I ran into and how I went about it:
port
and apolicy
value, in which case those are used.https://github.com/Encephala/ansible-role-firewall/blob/670aa337735ba44afc39c5731e31b71fc5f9010b/README.md?plain=1#L28-L30
firewall_tcp_**allowed**_rules
implies only ACCEPT rules may be added, but this is by the previous point no longer the case. I renamed this variable tofirewall_tcp_rules
and likewise for UDP, and added a default value for the new variables so that they copy the old variables if they exist. I also wrote a plugin to warn the user that the old variable has been superseded if they used it.https://github.com/Encephala/ansible-role-firewall/blob/670aa337735ba44afc39c5731e31b71fc5f9010b/defaults/main.yml#L26-L27
firewall_*_allowed_rules
is overwritten by thefirewall_*_rules
. I've found no good way to implement a filter to warn the user for this, and considering it's quite an edge case, I've left it as is. Perhaps you know of a good way to do this.PS: This is my first time really using Ansible (and Git for that matter), so if I've missed any silly things, feel free to point them out and/or ignore part of my changes.