community.general.hetzner_firewall – Manage Hetzner’s dedicated server firewall¶
Note
This plugin is part of the community.general collection (version 1.3.6).
To install it use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.hetzner_firewall.
New in version 0.2.0: of community.general
Synopsis¶
Manage Hetzner’s dedicated server firewall.
Note that idempotency check for TCP flags simply compares strings and doesn’t try to interpret the rules. This might change in the future.
Parameters¶
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
|
hetzner_password
string
/ required
|
The password for the Robot webservice user.
|
|||
|
hetzner_user
string
/ required
|
The username for the Robot webservice user.
|
|||
|
port
string
|
|
Switch port of firewall.
|
||
|
rules
dictionary
|
Firewall rules.
|
|||
|
input
list
/ elements=dictionary
|
Input firewall rules.
|
|||
|
action
string
/ required
|
|
Action if rule matches.
|
||
|
dst_ip
string
|
Destination IP address or subnet address.
CIDR notation.
|
|||
|
dst_port
string
|
Destination port or port range.
|
|||
|
ip_version
string
/ required
|
|
Internet protocol version.
Note that currently, only IPv4 is supported by Hetzner.
|
||
|
name
string
|
Name of the firewall rule.
|
|||
|
protocol
string
|
Protocol above IP layer
|
|||
|
src_ip
string
|
Source IP address or subnet address.
CIDR notation.
|
|||
|
src_port
string
|
Source port or port range.
|
|||
|
tcp_flags
string
|
TCP flags or logical combination of flags.
Flags supported by Hetzner are
syn, fin, rst, psh and urg.They can be combined with
| (logical or) and & (logical and).See the documentation for more information.
|
|||
|
server_ip
string
/ required
|
The server's main IP address.
|
|||
|
state
string
|
|
Status of the firewall.
Firewall is active if state is
present, and disabled if state is absent. |
||
|
timeout
integer
|
Default: 180
|
Timeout (in seconds) for waiting for firewall to be configured.
|
||
|
update_timeout
integer
|
Default: 30
|
Timeout to use when configuring the firewall.
Note that the API call returns before the firewall has been successfully set up.
|
||
|
wait_delay
integer
|
Default: 10
|
Delay to wait (in seconds) before checking again whether the firewall has been configured.
|
||
|
wait_for_configured
boolean
|
|
Whether to wait until the firewall has been successfully configured before determining what to do, and before returning from the module.
The API returns status
in progress when the firewall is currently being configured. If this happens, the module will try again until the status changes to active or disabled.Please note that there is a request limit. If you have to do multiple updates, it can be better to disable waiting, and regularly use community.general.hetzner_firewall_info to query status.
|
||
|
whitelist_hos
boolean
|
|
Whether Hetzner services have access.
|
||
See Also¶
See also
- Firewall documentation
Hetzner’s documentation on the stateless firewall for dedicated servers
- community.general.hetzner_firewall_info
Retrieve information on firewall configuration.
Examples¶
- name: Configure firewall for server with main IP 1.2.3.4
community.general.hetzner_firewall:
hetzner_user: foo
hetzner_password: bar
server_ip: 1.2.3.4
state: present
whitelist_hos: yes
rules:
input:
- name: Allow everything to ports 20-23 from 4.3.2.1/24
ip_version: ipv4
src_ip: 4.3.2.1/24
dst_port: '20-23'
action: accept
- name: Allow everything to port 443
ip_version: ipv4
dst_port: '443'
action: accept
- name: Drop everything else
ip_version: ipv4
action: discard
register: result
- ansible.builtin.debug:
msg: "{{ result }}"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Authors¶
Felix Fontein (@felixfontein)