puzzle.opnsense.firewall_rules module – This module is used to manage OPNSense firewall rules

Note

This module is part of the puzzle.opnsense collection (version 1.5.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install puzzle.opnsense.

To use it in a playbook, specify: puzzle.opnsense.firewall_rules.

New in puzzle.opnsense 1.0.0

Synopsis

  • This module is used to manage OPNSense firewall rules.

Parameters

Parameter

Comments

action

string

Choose what to do with packets that match the criteria specified below.

Choices:

  • "pass" ← (default)

  • "block"

  • "reject"

category

string

You may enter or select a category here to group firewall rules

description

string

Description for the rule.

destination

dictionary

Specifies the source configuration.

address

string

The IP address of the source.

Default: "any"

invert

boolean

Inverts the match logic.

Choices:

  • false ← (default)

  • true

network

string

The network of the source.

Default: "any"

port

string

The port of the source.

Default: "any"

direction

string

“Direction of the traffic. Traffic IN is coming into the firewall interface, while traffic OUT is going out of the firewall interface. In visual terms: [Source] -> IN -> [Firewall] -> OUT -> [Destination]. The default policy is to filter inbound traffic, which means the policy applies to the interface on which the traffic is originally received by the firewall from the source. This is more efficient from a traffic processing perspective. In most cases, the default policy will be the most appropriate.”

Choices:

  • "in" ← (default)

  • "out"

disabled

boolean

Set this option to disable this rule without removing it from the list.

Choices:

  • false ← (default)

  • true

interface

string / required

Choose on which interface packets must come in to match this rule.

ipprotocol

string

IP version

Choices:

  • "inet" ← (default)

  • "inet6"

  • "inet46"

log

boolean

“Log packets that are handled by this rule. Hint: the firewall has limited local log space. Don’t turn on logging for everything. If you want to do a lot of logging, consider using a remote syslog server.”

Choices:

  • false ← (default)

  • true

protocol

string

Choose which IP protocol this rule should match.

Choices:

  • "any" ← (default)

  • "tcp"

  • "udp"

  • "tcp/udp"

  • "icmp"

  • "esp"

  • "ah"

  • "gre"

  • "igmp"

  • "pim"

  • "ospf"

  • "ggp"

  • "ipencap"

  • "st2"

  • "cbt"

  • "egp"

  • "igp"

  • "bbn-rcc"

  • "nvp"

  • "pup"

  • "argus"

  • "emcon"

  • "xnet"

  • "chaos"

  • "mux"

  • "dcn"

  • "hmp"

  • "prm"

  • "xns-idp"

  • "trunk-1"

  • "trunk-2"

  • "leaf-1"

  • "leaf-2"

  • "rdp"

  • "irtp"

  • "iso-tp4"

  • "netblt"

  • "mfe-nsp"

  • "merit-inp"

  • "dccp"

  • "3pc"

  • "idpr"

  • "xtp"

  • "ddp"

  • "idpr-cmtp"

  • "tp++"

  • "il"

  • "ipv6"

  • "sdrp"

  • "idrp"

  • "rsvp"

  • "dsr"

  • "bna"

  • "i-nlsp"

  • "swipe"

  • "narp"

  • "mobile"

  • "tlsp"

  • "skip"

  • "ipv6-icmp"

  • "cftp"

  • "sat-expak"

  • "kryptolan"

  • "rvd"

  • "ippc"

  • "sat-mon"

  • "visa"

  • "ipcv"

  • "cpnx"

  • "cphb"

  • "wsn"

  • "pvp"

  • "br-sat-mon"

  • "sun-nd"

  • "wb-mon"

  • "wb-expak"

  • "iso-ip"

  • "vmtp"

  • "secure-vmtp"

  • "vines"

  • "ttp"

  • "nsfnet-igp"

  • "dgp"

  • "tcf"

  • "eigrp"

  • "sprite-rpc"

  • "larp"

  • "mtp"

  • "ax.25"

  • "ipip"

  • "micp"

  • "scc-sp"

  • "etherip"

  • "encap"

  • "gmtp"

  • "ifmp"

  • "pnni"

  • "aris"

  • "scps"

  • "qnx"

  • "a/n"

  • "ipcomp"

  • "snp"

  • "compaq-peer"

  • "ipx-in-ip"

  • "carp"

  • "pgm"

  • "l2tp"

  • "ddx"

  • "iatp"

  • "stp"

  • "srp"

  • "uti"

  • "smp"

  • "sm"

  • "ptp"

  • "isis"

  • "crtp"

  • "crudp"

  • "sps"

  • "pipe"

  • "sctp"

  • "fc"

  • "rsvp-e2e-ignore"

  • "udplite"

  • "mpls-in-ip"

  • "manet"

  • "hip"

  • "shim6"

  • "wesp"

  • "rohc"

  • "pfsync"

  • "divert"

quick

boolean

If a packet matches a rule specifying quick, then that rule is considered the last matching rule and the specified action is taken. When a rule does not have quick enabled, the last matching rule wins.

Choices:

  • false

  • true ← (default)

source

dictionary

Specifies the source configuration.

address

string

The IP address of the source.

Default: "any"

invert

boolean

Inverts the match logic.

Choices:

  • false ← (default)

  • true

network

string

The network of the source.

Default: "any"

port

string

The port of the source.

Default: "any"

state

string

Whether rule should be added or removed.

Choices:

  • "present" ← (default)

  • "absent"

Examples

- name: Block SSH in LAN Network
  puzzle.opnsense.firewall_rules:
    interface: lan
    source:
    destination:
      port: 22
    action: block

- name: Allow all access from RFC1918 networks to this host
  puzzle.opnsense.firewall_rules:
    interface: lan
    action: pass
    source:
      address: 192.168.0.0/16
    destination:

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

opnsense_configure_output

list / elements=string

A List of the executed OPNsense configure function along with their respective stdout, stderr and rc

Returned: always

Sample: [{"function": "system_cron_configure", "params": ["true"], "rc": 0, "stderr": "", "stderr_lines": [], "stdout": "Configuring CRON...done.", "stdout_lines": ["Configuring CRON...done."]}, {"function": "filter_configure", "params": [], "rc": 0, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}]

Authors

  • Fabio Bertagna (@dongiovanni83)

  • Kilian Soltermann (@killuuuhh)