vyos.vyos.vyos_firewall_global – FIREWALL global resource module¶
Note
This plugin is part of the vyos.vyos collection (version 1.1.1).
To install it use: ansible-galaxy collection install vyos.vyos
.
To use it in a playbook, specify: vyos.vyos.vyos_firewall_global
.
New in version 1.0.0: of vyos.vyos
Synopsis¶
This module manage global policies or configurations for firewall on VyOS devices.
Note
This module has a corresponding action plugin.
Parameters¶
Notes¶
Note
Tested against VyOS 1.1.8 (helium).
This module works with connection
network_cli
. See the VyOS OS Platform Options.
Examples¶
# Using merged
#
# Before state:
# -------------
#
# vyos@vyos# run show configuration commands | grep firewall
#
#
- name: Merge the provided configuration with the exisiting running configuration
vyos.vyos.vyos_firewall_global:
config:
validation: strict
config_trap: true
log_martians: true
syn_cookies: true
twa_hazards_protection: true
ping:
all: true
broadcast: true
state_policy:
- connection_type: established
action: accept
log: true
- connection_type: invalid
action: reject
route_redirects:
- afi: ipv4
ip_src_route: true
icmp_redirects:
send: true
receive: false
group:
address_group:
- name: MGMT-HOSTS
description: This group has the Management hosts address list
members:
- address: 192.0.1.1
- address: 192.0.1.3
- address: 192.0.1.5
network_group:
- name: MGMT
description: This group has the Management network addresses
members:
- address: 192.0.1.0/24
state: merged
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# before": []
#
# "commands": [
# "set firewall group address-group MGMT-HOSTS address 192.0.1.1",
# "set firewall group address-group MGMT-HOSTS address 192.0.1.3",
# "set firewall group address-group MGMT-HOSTS address 192.0.1.5",
# "set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list'",
# "set firewall group address-group MGMT-HOSTS",
# "set firewall group network-group MGMT network 192.0.1.0/24",
# "set firewall group network-group MGMT description 'This group has the Management network addresses'",
# "set firewall group network-group MGMT",
# "set firewall ip-src-route 'enable'",
# "set firewall receive-redirects 'disable'",
# "set firewall send-redirects 'enable'",
# "set firewall config-trap 'enable'",
# "set firewall state-policy established action 'accept'",
# "set firewall state-policy established log 'enable'",
# "set firewall state-policy invalid action 'reject'",
# "set firewall broadcast-ping 'enable'",
# "set firewall all-ping 'enable'",
# "set firewall log-martians 'enable'",
# "set firewall twa-hazards-protection 'enable'",
# "set firewall syn-cookies 'enable'",
# "set firewall source-validation 'strict'"
# ]
#
# "after": {
# "config_trap": true,
# "group": {
# "address_group": [
# {
# "description": "This group has the Management hosts address list",
# "members": [
# {
# "address": "192.0.1.1"
# },
# {
# "address": "192.0.1.3"
# },
# {
# "address": "192.0.1.5"
# }
# ],
# "name": "MGMT-HOSTS"
# }
# ],
# "network_group": [
# {
# "description": "This group has the Management network addresses",
# "members": [
# {
# "address": "192.0.1.0/24"
# }
# ],
# "name": "MGMT"
# }
# ]
# },
# "log_martians": true,
# "ping": {
# "all": true,
# "broadcast": true
# },
# "route_redirects": [
# {
# "afi": "ipv4",
# "icmp_redirects": {
# "receive": false,
# "send": true
# },
# "ip_src_route": true
# }
# ],
# "state_policy": [
# {
# "action": "accept",
# "connection_type": "established",
# "log": true
# },
# {
# "action": "reject",
# "connection_type": "invalid"
# }
# ],
# "syn_cookies": true,
# "twa_hazards_protection": true,
# "validation": "strict"
# }
#
# After state:
# -------------
#
# vyos@192# run show configuration commands | grep firewall
# set firewall all-ping 'enable'
# set firewall broadcast-ping 'enable'
# set firewall config-trap 'enable'
# set firewall group address-group MGMT-HOSTS address '192.0.1.1'
# set firewall group address-group MGMT-HOSTS address '192.0.1.3'
# set firewall group address-group MGMT-HOSTS address '192.0.1.5'
# set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list'
# set firewall group network-group MGMT description 'This group has the Management network addresses'
# set firewall group network-group MGMT network '192.0.1.0/24'
# set firewall ip-src-route 'enable'
# set firewall log-martians 'enable'
# set firewall receive-redirects 'disable'
# set firewall send-redirects 'enable'
# set firewall source-validation 'strict'
# set firewall state-policy established action 'accept'
# set firewall state-policy established log 'enable'
# set firewall state-policy invalid action 'reject'
# set firewall syn-cookies 'enable'
# set firewall twa-hazards-protection 'enable'
#
#
# Using parsed
#
#
- name: Render the commands for provided configuration
vyos.vyos.vyos_firewall_global:
running_config:
"set firewall all-ping 'enable'
set firewall broadcast-ping 'enable'
set firewall config-trap 'enable'
set firewall group address-group ENG-HOSTS address '192.0.3.1'
set firewall group address-group ENG-HOSTS address '192.0.3.2'
set firewall group address-group ENG-HOSTS description 'Sales office hosts address list'
set firewall group address-group SALES-HOSTS address '192.0.2.1'
set firewall group address-group SALES-HOSTS address '192.0.2.2'
set firewall group address-group SALES-HOSTS address '192.0.2.3'
set firewall group address-group SALES-HOSTS description 'Sales office hosts address list'
set firewall group network-group MGMT description 'This group has the Management network addresses'
set firewall group network-group MGMT network '192.0.1.0/24'
set firewall ip-src-route 'enable'
set firewall log-martians 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'strict'
set firewall state-policy established action 'accept'
set firewall state-policy established log 'enable'
set firewall state-policy invalid action 'reject'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'enable'"
state: parsed
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
#
# "parsed": {
# "config_trap": true,
# "group": {
# "address_group": [
# {
# "description": "Sales office hosts address list",
# "members": [
# {
# "address": "192.0.3.1"
# },
# {
# "address": "192.0.3.2"
# }
# ],
# "name": "ENG-HOSTS"
# },
# {
# "description": "Sales office hosts address list",
# "members": [
# {
# "address": "192.0.2.1"
# },
# {
# "address": "192.0.2.2"
# },
# {
# "address": "192.0.2.3"
# }
# ],
# "name": "SALES-HOSTS"
# }
# ],
# "network_group": [
# {
# "description": "This group has the Management network addresses",
# "members": [
# {
# "address": "192.0.1.0/24"
# }
# ],
# "name": "MGMT"
# }
# ]
# },
# "log_martians": true,
# "ping": {
# "all": true,
# "broadcast": true
# },
# "route_redirects": [
# {
# "afi": "ipv4",
# "icmp_redirects": {
# "receive": false,
# "send": true
# },
# "ip_src_route": true
# }
# ],
# "state_policy": [
# {
# "action": "accept",
# "connection_type": "established",
# "log": true
# },
# {
# "action": "reject",
# "connection_type": "invalid"
# }
# ],
# "syn_cookies": true,
# "twa_hazards_protection": true,
# "validation": "strict"
# }
# }
#
#
# Using deleted
#
# Before state
# -------------
#
# vyos@192# run show configuration commands | grep firewall
# set firewall all-ping 'enable'
# set firewall broadcast-ping 'enable'
# set firewall config-trap 'enable'
# set firewall group address-group MGMT-HOSTS address '192.0.1.1'
# set firewall group address-group MGMT-HOSTS address '192.0.1.3'
# set firewall group address-group MGMT-HOSTS address '192.0.1.5'
# set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list'
# set firewall group network-group MGMT description 'This group has the Management network addresses'
# set firewall group network-group MGMT network '192.0.1.0/24'
# set firewall ip-src-route 'enable'
# set firewall log-martians 'enable'
# set firewall receive-redirects 'disable'
# set firewall send-redirects 'enable'
# set firewall source-validation 'strict'
# set firewall state-policy established action 'accept'
# set firewall state-policy established log 'enable'
# set firewall state-policy invalid action 'reject'
# set firewall syn-cookies 'enable'
# set firewall twa-hazards-protection 'enable'
- name: Delete attributes of firewall.
vyos.vyos.vyos_firewall_global:
config:
state_policy:
config_trap:
log_martians:
syn_cookies:
twa_hazards_protection:
route_redirects:
ping:
group:
state: deleted
#
#
# ------------------------
# Module Execution Results
# ------------------------
#
# "before": {
# "config_trap": true,
# "group": {
# "address_group": [
# {
# "description": "This group has the Management hosts address list",
# "members": [
# {
# "address": "192.0.1.1"
# },
# {
# "address": "192.0.1.3"
# },
# {
# "address": "192.0.1.5"
# }
# ],
# "name": "MGMT-HOSTS"
# }
# ],
# "network_group": [
# {
# "description": "This group has the Management network addresses",
# "members": [
# {
# "address": "192.0.1.0/24"
# }
# ],
# "name": "MGMT"
# }
# ]
# },
# "log_martians": true,
# "ping": {
# "all": true,
# "broadcast": true
# },
# "route_redirects": [
# {
# "afi": "ipv4",
# "icmp_redirects": {
# "receive": false,
# "send": true
# },
# "ip_src_route": true
# }
# ],
# "state_policy": [
# {
# "action": "accept",
# "connection_type": "established",
# "log": true
# },
# {
# "action": "reject",
# "connection_type": "invalid"
# }
# ],
# "syn_cookies": true,
# "twa_hazards_protection": true,
# "validation": "strict"
# }
# "commands": [
# "delete firewall source-validation",
# "delete firewall group",
# "delete firewall log-martians",
# "delete firewall ip-src-route",
# "delete firewall receive-redirects",
# "delete firewall send-redirects",
# "delete firewall config-trap",
# "delete firewall state-policy",
# "delete firewall syn-cookies",
# "delete firewall broadcast-ping",
# "delete firewall all-ping",
# "delete firewall twa-hazards-protection"
# ]
#
# "after": []
# After state
# ------------
# vyos@192# run show configuration commands | grep firewall
# set 'firewall'
#
#
# Using replaced
#
# Before state:
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall all-ping 'enable'
# set firewall broadcast-ping 'enable'
# set firewall config-trap 'enable'
# set firewall group address-group MGMT-HOSTS address '192.0.1.1'
# set firewall group address-group MGMT-HOSTS address '192.0.1.3'
# set firewall group address-group MGMT-HOSTS address '192.0.1.5'
# set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list'
# set firewall group network-group MGMT description 'This group has the Management network addresses'
# set firewall group network-group MGMT network '192.0.1.0/24'
# set firewall ip-src-route 'enable'
# set firewall log-martians 'enable'
# set firewall receive-redirects 'disable'
# set firewall send-redirects 'enable'
# set firewall source-validation 'strict'
# set firewall state-policy established action 'accept'
# set firewall state-policy established log 'enable'
# set firewall state-policy invalid action 'reject'
# set firewall syn-cookies 'enable'
# set firewall twa-hazards-protection 'enable'
#
- name: Replace firewall global attributes configuration.
vyos.vyos.vyos_firewall_global:
config:
validation: strict
config_trap: true
log_martians: true
syn_cookies: true
twa_hazards_protection: true
ping:
all: true
broadcast: true
state_policy:
- connection_type: established
action: accept
log: true
- connection_type: invalid
action: reject
route_redirects:
- afi: ipv4
ip_src_route: true
icmp_redirects:
send: true
receive: false
group:
address_group:
- name: SALES-HOSTS
description: Sales office hosts address list
members:
- address: 192.0.2.1
- address: 192.0.2.2
- address: 192.0.2.3
- name: ENG-HOSTS
description: Sales office hosts address list
members:
- address: 192.0.3.1
- address: 192.0.3.2
network_group:
- name: MGMT
description: This group has the Management network addresses
members:
- address: 192.0.1.0/24
state: replaced
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "before": {
# "config_trap": true,
# "group": {
# "address_group": [
# {
# "description": "This group has the Management hosts address list",
# "members": [
# {
# "address": "192.0.1.1"
# },
# {
# "address": "192.0.1.3"
# },
# {
# "address": "192.0.1.5"
# }
# ],
# "name": "MGMT-HOSTS"
# }
# ],
# "network_group": [
# {
# "description": "This group has the Management network addresses",
# "members": [
# {
# "address": "192.0.1.0/24"
# }
# ],
# "name": "MGMT"
# }
# ]
# },
# "log_martians": true,
# "ping": {
# "all": true,
# "broadcast": true
# },
# "route_redirects": [
# {
# "afi": "ipv4",
# "icmp_redirects": {
# "receive": false,
# "send": true
# },
# "ip_src_route": true
# }
# ],
# "state_policy": [
# {
# "action": "accept",
# "connection_type": "established",
# "log": true
# },
# {
# "action": "reject",
# "connection_type": "invalid"
# }
# ],
# "syn_cookies": true,
# "twa_hazards_protection": true,
# "validation": "strict"
# }
#
# "commands": [
# "delete firewall group address-group MGMT-HOSTS",
# "set firewall group address-group SALES-HOSTS address 192.0.2.1",
# "set firewall group address-group SALES-HOSTS address 192.0.2.2",
# "set firewall group address-group SALES-HOSTS address 192.0.2.3",
# "set firewall group address-group SALES-HOSTS description 'Sales office hosts address list'",
# "set firewall group address-group SALES-HOSTS",
# "set firewall group address-group ENG-HOSTS address 192.0.3.1",
# "set firewall group address-group ENG-HOSTS address 192.0.3.2",
# "set firewall group address-group ENG-HOSTS description 'Sales office hosts address list'",
# "set firewall group address-group ENG-HOSTS"
# ]
#
# "after": {
# "config_trap": true,
# "group": {
# "address_group": [
# {
# "description": "Sales office hosts address list",
# "members": [
# {
# "address": "192.0.3.1"
# },
# {
# "address": "192.0.3.2"
# }
# ],
# "name": "ENG-HOSTS"
# },
# {
# "description": "Sales office hosts address list",
# "members": [
# {
# "address": "192.0.2.1"
# },
# {
# "address": "192.0.2.2"
# },
# {
# "address": "192.0.2.3"
# }
# ],
# "name": "SALES-HOSTS"
# }
# ],
# "network_group": [
# {
# "description": "This group has the Management network addresses",
# "members": [
# {
# "address": "192.0.1.0/24"
# }
# ],
# "name": "MGMT"
# }
# ]
# },
# "log_martians": true,
# "ping": {
# "all": true,
# "broadcast": true
# },
# "route_redirects": [
# {
# "afi": "ipv4",
# "icmp_redirects": {
# "receive": false,
# "send": true
# },
# "ip_src_route": true
# }
# ],
# "state_policy": [
# {
# "action": "accept",
# "connection_type": "established",
# "log": true
# },
# {
# "action": "reject",
# "connection_type": "invalid"
# }
# ],
# "syn_cookies": true,
# "twa_hazards_protection": true,
# "validation": "strict"
# }
#
# After state:
# -------------
#
# vyos@192# run show configuration commands | grep firewall
# set firewall all-ping 'enable'
# set firewall broadcast-ping 'enable'
# set firewall config-trap 'enable'
# set firewall group address-group ENG-HOSTS address '192.0.3.1'
# set firewall group address-group ENG-HOSTS address '192.0.3.2'
# set firewall group address-group ENG-HOSTS description 'Sales office hosts address list'
# set firewall group address-group SALES-HOSTS address '192.0.2.1'
# set firewall group address-group SALES-HOSTS address '192.0.2.2'
# set firewall group address-group SALES-HOSTS address '192.0.2.3'
# set firewall group address-group SALES-HOSTS description 'Sales office hosts address list'
# set firewall group network-group MGMT description 'This group has the Management network addresses'
# set firewall group network-group MGMT network '192.0.1.0/24'
# set firewall ip-src-route 'enable'
# set firewall log-martians 'enable'
# set firewall receive-redirects 'disable'
# set firewall send-redirects 'enable'
# set firewall source-validation 'strict'
# set firewall state-policy established action 'accept'
# set firewall state-policy established log 'enable'
# set firewall state-policy invalid action 'reject'
# set firewall syn-cookies 'enable'
# set firewall twa-hazards-protection 'enable'
#
#
# Using gathered
#
# Before state:
# -------------
#
# vyos@192# run show configuration commands | grep firewall
# set firewall all-ping 'enable'
# set firewall broadcast-ping 'enable'
# set firewall config-trap 'enable'
# set firewall group address-group ENG-HOSTS address '192.0.3.1'
# set firewall group address-group ENG-HOSTS address '192.0.3.2'
# set firewall group address-group ENG-HOSTS description 'Sales office hosts address list'
# set firewall group address-group SALES-HOSTS address '192.0.2.1'
# set firewall group address-group SALES-HOSTS address '192.0.2.2'
# set firewall group address-group SALES-HOSTS address '192.0.2.3'
# set firewall group address-group SALES-HOSTS description 'Sales office hosts address list'
# set firewall group network-group MGMT description 'This group has the Management network addresses'
# set firewall group network-group MGMT network '192.0.1.0/24'
# set firewall ip-src-route 'enable'
# set firewall log-martians 'enable'
# set firewall receive-redirects 'disable'
# set firewall send-redirects 'enable'
# set firewall source-validation 'strict'
# set firewall state-policy established action 'accept'
# set firewall state-policy established log 'enable'
# set firewall state-policy invalid action 'reject'
# set firewall syn-cookies 'enable'
# set firewall twa-hazards-protection 'enable'
#
- name: Gather firewall global config with provided configurations
vyos.vyos.vyos_firewall_global:
config:
state: gathered
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "gathered": [
# {
# "config_trap": true,
# "group": {
# "address_group": [
# {
# "description": "Sales office hosts address list",
# "members": [
# {
# "address": "192.0.3.1"
# },
# {
# "address": "192.0.3.2"
# }
# ],
# "name": "ENG-HOSTS"
# },
# {
# "description": "Sales office hosts address list",
# "members": [
# {
# "address": "192.0.2.1"
# },
# {
# "address": "192.0.2.2"
# },
# {
# "address": "192.0.2.3"
# }
# ],
# "name": "SALES-HOSTS"
# }
# ],
# "network_group": [
# {
# "description": "This group has the Management network addresses",
# "members": [
# {
# "address": "192.0.1.0/24"
# }
# ],
# "name": "MGMT"
# }
# ]
# },
# "log_martians": true,
# "ping": {
# "all": true,
# "broadcast": true
# },
# "route_redirects": [
# {
# "afi": "ipv4",
# "icmp_redirects": {
# "receive": false,
# "send": true
# },
# "ip_src_route": true
# }
# ],
# "state_policy": [
# {
# "action": "accept",
# "connection_type": "established",
# "log": true
# },
# {
# "action": "reject",
# "connection_type": "invalid"
# }
# ],
# "syn_cookies": true,
# "twa_hazards_protection": true,
# "validation": "strict"
# }
#
# After state:
# -------------
#
# vyos@192# run show configuration commands | grep firewall
# set firewall all-ping 'enable'
# set firewall broadcast-ping 'enable'
# set firewall config-trap 'enable'
# set firewall group address-group ENG-HOSTS address '192.0.3.1'
# set firewall group address-group ENG-HOSTS address '192.0.3.2'
# set firewall group address-group ENG-HOSTS description 'Sales office hosts address list'
# set firewall group address-group SALES-HOSTS address '192.0.2.1'
# set firewall group address-group SALES-HOSTS address '192.0.2.2'
# set firewall group address-group SALES-HOSTS address '192.0.2.3'
# set firewall group address-group SALES-HOSTS description 'Sales office hosts address list'
# set firewall group network-group MGMT description 'This group has the Management network addresses'
# set firewall group network-group MGMT network '192.0.1.0/24'
# set firewall ip-src-route 'enable'
# set firewall log-martians 'enable'
# set firewall receive-redirects 'disable'
# set firewall send-redirects 'enable'
# set firewall source-validation 'strict'
# set firewall state-policy established action 'accept'
# set firewall state-policy established log 'enable'
# set firewall state-policy invalid action 'reject'
# set firewall syn-cookies 'enable'
# set firewall twa-hazards-protection 'enable'
# Using rendered
#
#
- name: Render the commands for provided configuration
vyos.vyos.vyos_firewall_global:
config:
validation: strict
config_trap: true
log_martians: true
syn_cookies: true
twa_hazards_protection: true
ping:
all: true
broadcast: true
state_policy:
- connection_type: established
action: accept
log: true
- connection_type: invalid
action: reject
route_redirects:
- afi: ipv4
ip_src_route: true
icmp_redirects:
send: true
receive: false
group:
address_group:
- name: SALES-HOSTS
description: Sales office hosts address list
members:
- address: 192.0.2.1
- address: 192.0.2.2
- address: 192.0.2.3
- name: ENG-HOSTS
description: Sales office hosts address list
members:
- address: 192.0.3.1
- address: 192.0.3.2
network_group:
- name: MGMT
description: This group has the Management network addresses
members:
- address: 192.0.1.0/24
state: rendered
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
#
# "rendered": [
# "set firewall group address-group SALES-HOSTS address 192.0.2.1",
# "set firewall group address-group SALES-HOSTS address 192.0.2.2",
# "set firewall group address-group SALES-HOSTS address 192.0.2.3",
# "set firewall group address-group SALES-HOSTS description 'Sales office hosts address list'",
# "set firewall group address-group SALES-HOSTS",
# "set firewall group address-group ENG-HOSTS address 192.0.3.1",
# "set firewall group address-group ENG-HOSTS address 192.0.3.2",
# "set firewall group address-group ENG-HOSTS description 'Sales office hosts address list'",
# "set firewall group address-group ENG-HOSTS",
# "set firewall group network-group MGMT network 192.0.1.0/24",
# "set firewall group network-group MGMT description 'This group has the Management network addresses'",
# "set firewall group network-group MGMT",
# "set firewall ip-src-route 'enable'",
# "set firewall receive-redirects 'disable'",
# "set firewall send-redirects 'enable'",
# "set firewall config-trap 'enable'",
# "set firewall state-policy established action 'accept'",
# "set firewall state-policy established log 'enable'",
# "set firewall state-policy invalid action 'reject'",
# "set firewall broadcast-ping 'enable'",
# "set firewall all-ping 'enable'",
# "set firewall log-martians 'enable'",
# "set firewall twa-hazards-protection 'enable'",
# "set firewall syn-cookies 'enable'",
# "set firewall source-validation 'strict'"
# ]
#
#
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Authors¶
Rohit Thakur (@rohitthakur2590)