Hi all,
I’m working on a set of roles for my organisation and part of the work is configuring a “secure” base system.
I want to be able to set some “sensible” defaults on a firewall and then have other roles open them up based on criteria from group_vars or similar.
Given that Ansible does not have a way of constructing a hash from across multiple roles and that these roles must work on RHEL, CentOS, Debian and Ubuntu, what is the best way to provision a firewall?
I have read https://groups.google.com/forum/#!searchin/ansible-project/firewall/ansible-project/dNgBYktNaBY/AEK0_Uiu0UoJ and https://groups.google.com/forum/#!searchin/ansible-project/firewall/ansible-project/rkavS1H6AtA/ZIfhXrSRKTQJ - both of which indicate that “ferm” is the way to go (although the wiki link that “shows you how to do this” appears to be offline at the moment) however I come from a Chef background so I’m really looking for something that works in the same way as https://github.com/opscode-cookbooks/firewall if possible.
The way that the Chef cookbook works is that you specify a firewall rule and it then works out whether it should be using UFW, Firewalld or some other format and applies that to the underlying system. At the moment, the only way I can see of setting firewall rules “officially” in Ansible is to use the ufw module in tasks/debian.yml and the firewalld module in tasks/rhel.yml and then include those files in main.yml based on the OS that I detect.
Does anyone have a “smart” way of doing this?
Thanks in advance,
Matt