---
module: firewall_rules
short_description: This module is used to manage OPNSense firewall rules
version_added: "1.0.0"
description: This module is used to manage OPNSense firewall rules.
options:
action:
description: Choose what to do with packets that match the criteria specified below.
choices:
- pass
- block
- reject
default: pass
type: str
disabled:
description: Set this option to disable this rule without removing it from the list.
required: false
default: false
type: bool
ipprotocol:
description: IP version
required: false
default: inet
choices:
- inet
- inet6
- inet46
type: str
quick:
description: |
If a packet matches a rule specifying quick, then that rule is considered the last matching rule and the specified action is taken.
When a rule does not have quick enabled, the last matching rule wins.
required: false
default: true
type: bool
interface:
description: Choose on which interface packets must come in to match this rule.
required: true
type: str
direction:
description: |
"Direction of the traffic. Traffic IN is coming into the firewall interface, while traffic OUT is going out of the firewall interface.
In visual terms: [Source] -> IN -> [Firewall] -> OUT -> [Destination]. The default policy is to filter inbound traffic,
which means the policy applies to the interface on which the traffic is originally received by the firewall from the source.
This is more efficient from a traffic processing perspective. In most cases, the default policy will be the most appropriate."
choices:
- in
- out
default: in
type: str
protocol:
description: Choose which IP protocol this rule should match.
choices:
- any
- tcp
- udp
- tcp/udp
- icmp
- esp
- ah
- gre
- igmp
- pim
- ospf
- ggp
- ipencap
- st2
- cbt
- egp
- igp
- bbn-rcc
- nvp
- pup
- argus
- emcon
- xnet
- chaos
- mux
- dcn
- hmp
- prm
- xns-idp
- trunk-1
- trunk-2
- leaf-1
- leaf-2
- rdp
- irtp
- iso-tp4
- netblt
- mfe-nsp
- merit-inp
- dccp
- 3pc
- idpr
- xtp
- ddp
- idpr-cmtp
- tp++
- il
- ipv6
- sdrp
- idrp
- rsvp
- dsr
- bna
- i-nlsp
- swipe
- narp
- mobile
- tlsp
- skip
- ipv6-icmp
- cftp
- sat-expak
- kryptolan
- rvd
- ippc
- sat-mon
- visa
- ipcv
- cpnx
- cphb
- wsn
- pvp
- br-sat-mon
- sun-nd
- wb-mon
- wb-expak
- iso-ip
- vmtp
- secure-vmtp
- vines
- ttp
- nsfnet-igp
- dgp
- tcf
- eigrp
- sprite-rpc
- larp
- mtp
- ax.25
- ipip
- micp
- scc-sp
- etherip
- encap
- gmtp
- ifmp
- pnni
- aris
- scps
- qnx
- a/n
- ipcomp
- snp
- compaq-peer
- ipx-in-ip
- carp
- pgm
- l2tp
- ddx
- iatp
- stp
- srp
- uti
- smp
- sm
- ptp
- isis
- crtp
- crudp
- sps
- pipe
- sctp
- fc
- rsvp-e2e-ignore
- udplite
- mpls-in-ip
- manet
- hip
- shim6
- wesp
- rohc
- pfsync
- divert
required: false
default: any
type: str
source:
description:
- Specifies the source configuration.
type: dict
suboptions:
address:
description:
- The IP address of the source.
default: any
type: str
network:
description:
- The network of the source.
default: any
type: str
port:
description:
- The port of the source.
default: any
type: str
invert:
description:
- Inverts the match logic.
default: false
type: bool
destination:
description:
- Specifies the source configuration.
type: dict
suboptions:
address:
description:
- The IP address of the source.
type: str
default: any
network:
description:
- The network of the source.
type: str
default: any
port:
description:
- The port of the source.
type: str
default: any
invert:
description:
- Inverts the match logic.
default: false
type: bool
log:
description: |
"Log packets that are handled by this rule. Hint: the firewall has limited local log space. Don't turn on logging for everything.
If you want to do a lot of logging, consider using a remote syslog server."
required: false
default: false
type: bool
category:
description: You may enter or select a category here to group firewall rules
required: false
type: str
description:
description: Description for the rule.
required: false
type: str
state:
description: Weather rule should be added or removed.
required: false
type: str
default: present
choices: [present, absent]
Examples
- name: Block SSH in LAN Network
puzzle.opnsense.firewall_rules:
interface: lan
source:
destination:
port: 22
action: block
Additional Notes (Optional)
The interface name could be verified against the device name its alias or the descriptive name once an interface related module provides an appropriate utility for it.
Module Description
Add, modify or delete firewall rules on the OPNsense system.
Minimum Viable Product (MVP)
Express your minimal viable product in the form of the Ansible
DOCUMENTATIONblock format:Examples
Additional Notes (Optional)