ansible_qemu_ceph_xcat_testbench/cluster/roles/firewalld/defaults/main.yml

# Copyright 2022 OCF Ltd. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
# -*- coding: utf-8 -*-
# vim: ft=yaml
---

firewalld:
  ## Toggle firewalld as installed and started
  enable: true

  ## INI entries to overide
  firewalld_conf_file: /etc/firewalld/firewalld.conf
  firewalld_conf:
    DefaultZone: "public"
    LogDenied: "off"

  ## Configure permanent firewalld services (xml config file)
  firewalld_services:
    - name: ssh
      short: "SSH"
      description: "SSH service"
      port:
        - port: 22
          protocol: tcp
      xcat_groups:
        - all
      xcat_networks:
        - campus
        - cluster
        - infiniband
        - ipmi
        - lustre
    - name: dhcpd
      short: "dhcp"
      description: "DHCP Service"
      port:
        - port: 7911
          protocol: tcp
      xcat_groups:
        - compute
        - all
      xcat_networks:
        - cluster
    # #
    # # Sample rulesets
    # #
    # - name: zabbix
    #   short: "Zabbix"
    #   description: "Zabbix Ports"
    #   port:
    #     - port: 10050
    #       protocol: tcp
    #     - port: 10051
    #       protocol: tcp
    #   xcat_groups:
    #     - compute
    #     - all
    #     - slurm
    #     - ansible
    #   xcat_networks:
    #     - cluster
    #     - infiniband
    # - name: bacula
    #   short: "Bacula"
    #   description: "Bacula Client"
    #   port:
    #     - port: 9102
    #       protocol: tcp
    #   xcat_groups:
    #     - compute
    #     - all
    #     - slurm
    #     - ansible
    #   xcat_networks:
    #     - cluster
    #     - infiniband
    # - name: ftp
    #   short: "FTP"
    #   description: "FTP Client/Server"
    #   port:
    #     - port: 21
    #       protocol: tcp
    #   xcat_groups:
    #     - compute
    #     - all
    #     - slurm
    #     - ansible
    #   xcat_networks:
    #     - cluster
    #     - infiniband
    # - name: xCAT
    #   short: "xcatd"
    #   description: "xCAT Services"
    #   port:
    #     - port: 3001
    #       protocol: tcp
    #     - port: 3002
    #       protocol: tcp
    #     - port: 3003
    #       protocol: tcp
    #     - port: 623
    #       protocol: udp
    #   xcat_groups:
    #     - compute
    #     - all
    #     - slurm
    #     - ansible
    #   xcat_networks:
    #     - cluster
    #     - infiniband
    # - name: rsyslogd
    #   short: "rsyslogd"
    #   description: "Rsyslog Service"
    #   port:
    #     - port: 514
    #       protocol: tcp
    #   xcat_groups:
    #     - compute
    #     - all
    #     - slurm
    #     - ansible
    #   xcat_networks:
    #     - cluster
    #     - infiniband
    # - name: named
    #   short: "named"
    #   description: "DNS Service"
    #   port:
    #     - port: 53
    #       protocol: tcp
    #     - port: 953
    #       protocol: tcp
    #   xcat_groups:
    #     - compute
    #     - all
    #     - slurm
    #     - ansible
    #   xcat_networks:
    #     - cluster
    #     - infiniband

  ## Configure permanent firewalld zones (xml config file)
  firewalld_zones:
    #    
    # network <-> network allow all rules (ipset cluster is auto generated from xcat_networks)
    # ipsets can only be bound to a single zone, to use this format of rule, any service with a 'cluster' entry in 'xcat_networks:' list requires 'cluster' to be removed.
    #
    # - name: cluster2cluster
    #   short: "cluster2cluster"
    #   description: "allow ingress from cluster network"
    #   target: "ACCEPT"
    #   source:
    #     - ipset: cluster
    #
    # inbuilt safety rule
    #
    - name: public
      short: "Public"
      description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
      service:
        - name: "ssh"
    #
    # accept any traffic from management hosts
    #
    # - name: mgt
    #   short: "MGT"
    #   description: "Trust my management hosts"
    #   target: "ACCEPT"
    #   source:
    #     - address: 172.22.1.220/32
    #     - address: 172.22.1.221/32

  ## Configure permanent firewalld ipsets (xml config file)
  firewalld_ipsets:
    fail2ban-ssh:
      short: fail2ban-ssh
      description: fail2ban-ssh ipset
      type: 'hash:ip'
      options:
        maxelem:
          - 65536
        timeout:
          - 300
        hashsize:
          - 1024
      targets:
        - 10.0.0.1
    # fail2ban-ssh-ipv6:
    #   short: fail2ban-ssh-ipv6
    #   description: fail2ban-ssh-ipv6 ipset
    #   type: 'hash:ip'
    #   options:
    #     family:
    #       - inet6
    #     maxelem:
    #       - 65536
    #     timeout:
    #       - 300
    #     hashsize:
    #       - 1024
    #   targets:
    #     - 2a01::1