This site won't get any more updates, see github repo for most recent docs.
This role manages
For a full list of available options, see OpenWrt Wiki Firewall
This is just an excerpt:
| Ansible Variable Name | OpenWrt Flag Name | Default Value |
|---|---|---|
openwrt_firewall_default_synflood_protect |
synflood_protect | 1 |
openwrt_firewall_default_flow_offloading |
flow_offloading | 0 |
openwrt_firewall_default_flow_offloading_hw |
flow_offloading_hw | 0 |
openwrt_firewall_default_forward |
forward | REJECT |
openwrt_firewall_default_input |
input | ACCEPT |
openwrt_firewall_default_output |
output | ACCEPT |
openwrt_firewall_default_drop_invalid |
drop_invalid | - |
openwrt_firewall_default_synflood_rate |
synflood_rate | - |
openwrt_firewall_default_synflood_burst |
synflood_burst | - |
openwrt_firewall_default_tcp_syncookies |
tcp_syncookies | - |
openwrt_firewall_default_tcp_ecn |
tcp_ecn | - |
openwrt_firewall_default_tcp_window_scaling |
tcp_window_scaling | - |
openwrt_firewall_default_accept_redirects |
accept_redirects | - |
openwrt_firewall_default_accept_source_route |
accept_source_route | - |
openwrt_firewall_default_custom_chains |
custom_chains | - |
openwrt_firewall_default_tcp_reject_code |
tcp_reject_code | - |
openwrt_firewall_default_any_reject_code |
any_reject_code | - |
We use zones names written in capital letters, e.g. WAN. Ansible variable names do not make use of that convention.
Zones are the core of firewall operations in OpenWrt. In the following cases:
Input Output and Forward applyThus you need to attach an interface to a firewall zone so that the firewall can make decisions about the various packets.
For a more detailed documentation look at the official firewall docs of OpenWrt.
In contrast to a factory OpenWrt firmware this role ships with more default zones.
| Description | Default Zonename |
Default masq |
Default logging |
|---|---|---|---|
| Internet Uplink | WAN | 1 | 1 |
| Connecting to neighbours | NEIGHBOURS | 0 | 1 |
| Guests, e.g. Guest Wifi | GUESTS | 0 | 1 |
| your common LAN clienst | LAN | 0 | 1 |
| Services / Server | DMZ | 0 | 1 |
| Management, z.B. IPMI, switches, Access Points | MGMT | 0 | 1 |
Those are pre defined zones coming with a defaultset of rules. You NEED TO assign an interface to them so that they are being utilized. Otherwise they won't be used, AT ALL.
There are three different variables to manage zones. All of them are being defined as a dict variable.
This is an excerpt of the default zones
openwrt_firewall_zonesdefault:
WAN:
forward: "REJECT"
input: "REJECT"
output: "ACCEPT"
log: "1"
masq: "1"
mtu_fix: "1"
In order to modify the default zones some manual work is necessary. At first you need to define your very own variable in the same format and set your specifics. This is an example of how to assign an interface to a default zone.
openwrt_firewall_zones_mysite:
MGMT:
interfaces:
- "MGMT"
- "MGMT6"
input: "ACCEPT"
Additionally you need to define your own task within your playbook file.
- hosts: platforms_openwrt
pre_tasks:
- name: combine default zones with manual settings
set_fact:
openwrt_firewall_zonesdefault: "{{ openwrt_firewall_zonesdefault | combine(openwrt_firewall_zones_mysite, recursive=true) }}"
when: openwrt_firewall_zones_mysite is defined
become: true
roles:
- imp1sh.ansible_openwrt.ansible_openwrtfirewall
This will merge openwrt_firewall_zonesdefault and openwrt_firewall_zones_mysite
See also Ansible docs for combining dicts
To specify interfaces the logical names from /etc/network/interfaces are being used. In Ansible they are being defined in ansible_openwrtnetwork via the variableopenwrt_network_interfaces , e.g.:
openwrt_network_interfaces:
wan:
device: "eth1"
proto: "dhcp"
wan6:
device: "@wan"
proto: "dhcpv6"
If you need to disable single zones you can do that by setting the disabled flag to true. For example
openwrt_firewall_zoneshost:
MYZONE:
...
disabled: true
...
This might be helpful if you temporarily would like to disable a zone but not remove it from the Ansible configuration.
The default zones are quite extensive. If they do not fit your environment you might want to define all your zones by yourself. You can deactivate the default zones by setting:
openwrt_firewall_setdefaultzones: false
Don't forget to define your own zones. An OpenWrt Firewall without zones cannot be fully functional. The default rules may also be not applied. The Ansible Collection checks if zones exist when it tries to apply rules. If a rule is associated with a non existant zone, the rule won't be applied at all. This may lead to default rules not being applied and can cause problems for example with DHCP requests not being answered.
Apart from the predefined zones you can define your own. The names of your zones may not interfere with the default zones, if applied.
You can either define zones for a host or for a group of hosts. This is an example for a zone named PRINTERS with the interface named printers to be set on a single host.
openwrt_firewall_zoneshost:
PRINTERS:
forward: “REJECT”
input: “REJECT”
output: “ACCEPT”
log: “0”
interfaces:
- “printers”
If you want to define zones for multiple hosts you can do that in the allhosts scope, e.g. ./group_vars/allhosts.yml. This is an example that will be applied to allhosts member of the group group1.
openwrt_firewall_zonesgroup:
group1:
SPEZIAL1:
forward: "ACCEPT"
input: "ACCEPT"
output: "ACCEPT
log: “0”
interfaces:
- "spezial1"
DMZ2:
forward: "ACCEPT"
input: "ACCEPT"
output: "ACCEPT"
log: “0”
GUESTS2:
forward: "REJECT"
input: "REJECT"
output: "ACCEPT"
log: “0”
FRITZ:
forward: "REJECT"
input: "REJECT"
output: "ACCEPT"
log: “1”
masq: 1
mtu_fix: 1
interfaces:
- "fritz1"
- "fritz2"
Forwardings define how packets between zones are handled. So if there is a forwarding rule from LAN to DMZ all hosts in LAN can fully access hosts in DMZ.
See also: OpenWrt Firewall docs
A forwarding has to have a SRC as well as DEST attribute.
Forwardings are only being applied when the
SRCandDESTzones both exist.
There is a default forwarding, allwing LAN to WAN access. Other forwardings you need to define yourself.
Define in Ansible on a host scope like this:
openwrt_firewall_forwardingshost:
- src: “MGMT”
dest: “WAN”
Define in the allhosts scope, e.g. in group_vars/allhosts.yml
openwrt_firewall_forwardingsgroup:
group1:
- src: “MYZONE1”
dest: “WAN”
group2:
- src: “MYZONE2”
dest: “WAN”
Rules define how packets are being handled. Possible actions are DROP, REJECT or ACCEPT.
In the src and/or dest attribute there may be a wildcard, i.e. *. This will match every zone.
If you skip the dest attribute it will become an Input Rule, meaning the traffc's destination address is the firewalls IP itself.
Rules are only being applied, if the referenced zone(s) actually exists.
Those are mandatory attributes for a rule:
All other attributes are optional.
There are some predefined rules that are meant for the predefined zones. In contrast to stock OpenWrt there are some minor changes. In accordance to RFC4890 several ICMPv6 packates are being passed. Additionally there are some more predefined rules as there are more predefined zones.
In the github repo you can inspect those default rules, see variable: openwrt_firewall_rulesdefault.
Example configuration for a single host two rules.
openwrt_firewall_ruleshost:
"zabbix1_anywhere":
family: "ipv6"
src: "WAN"
src_ip:
- "{{ hostvars['zabbix1.example.com']['netinterfaces']['ens18']['ip6'] | ipaddr('address') }}"
dest: "*"
proto:
- "tcp"
dest_port: "10050"
target: "ACCEPT"
"admin_accept wan":
family: "ipv6"
src: "WAN"
target: "ACCEPT"
proto:
- "all"
src_ip:
- "2001:1234:4321::/48"
- "2a01:affe::/32"
"SECURE to MGMT ssh":
family: "ipv6"
src: "SECURE"
dest: "MGMT"
target: "ACCEPT"
proto:
- "tcp"
dest_port: "22"
For a full list of attributes see OpenWrt Firewall docs.
Be careuful about firewall rules. If you mistype or forget e.g. a
dest_portdirective the rule will get installed, without a restriction to a port. This might open up your firewall much wider than you might want to.
As in most sections there is also the possibility to defines rules on a Ansible group scope. Here's an example, defined in ./group_vars/allhosts.yml:
openwrt_firewall_rulesgroup:
openwrtaccesspoints:
"Admin Access":
src: "MGMT"
proto: "all"
target: "ACCEPT"
openwrtrouter:
"LAN to MGMT HTTP Admins":
src: "LAN"
dest: "MGMT"
proto: "tcp"
dest_port: "80"
src_ip:
- "1.2.3.5"
- "2a01:4:6::1"
target: "ACCEPT"
Of course forwardings can be setup via this role. This is not about general masquerading. This is being setup in the zones section of this role with the attributes masq: 1 and mtu_fix: 1.
For specific SNAT / DNAT rules those can be setup via rules. There are two va`riables available to define rules, i.e. openwrt_firewall_redirectsgroup and openwrt_firewall_redirectshost. A full list of available attributes for those rules can be found in the Openwrt documentation for redirects.
openwrt_firewall_redirectshost:
"jabber 5222 chathost1":
proto:
- "tcp"
src: "WAN"
dest: "MEINS"
src_dip: "5.123.321.82"
dest_ip: "10.10.102.19"
src_dport: 5222
target: "DNAT"
If you want a DNAT rule, srcis mandatory.
If you define a SNAT rule, src_dipand destare mandatory.