community / community.hrobot / 1.9.1 / module / firewall Manage Hetzner's dedicated server firewall Authors: Felix Fontein (@felixfontein)community.hrobot.firewall (1.9.1) — module
Install with ansible-galaxy collection install community.hrobot:==1.9.1
collections: - name: community.hrobot version: 1.9.1
Manage Hetzner's dedicated server firewall.
Note that idempotency check for TCP flags simply compares strings and doesn't try to interpret the rules. This might change in the future.
- name: Configure firewall for server with main IP 1.2.3.4 community.hrobot.firewall: hetzner_user: foo hetzner_password: bar server_ip: 1.2.3.4 state: present filter_ipv6: true allowlist_hos: true rules: input: - name: Allow ICMP protocol # This is needed so you can ping your server ip_version: ipv4 protocol: icmp action: accept # Note that it is not possible to disable ICMP for IPv6 # (https://robot.hetzner.com/doc/webservice/en.html#post-firewall-server-id) - name: Allow responses to incoming TCP connections protocol: tcp dst_port: '32768-65535' tcp_flags: ack action: accept - name: Allow restricted access from some known IPv4 addresses # Allow everything to ports 20-23 from 4.3.2.1/24 (IPv4 only) ip_version: ipv4 src_ip: 4.3.2.1/24 dst_port: '20-23' action: accept - name: Allow everything to port 443 dst_port: '443' action: accept - name: Drop everything else action: discard output: - name: Accept everything action: accept register: result
- ansible.builtin.debug: msg: "{{ result }}"
port: choices: - main - kvm default: main description: - Switch port of firewall. type: str rules: description: - Firewall rules. suboptions: input: description: - Input firewall rules. elements: dict suboptions: action: choices: - accept - discard description: - Action if rule matches. required: true type: str dst_ip: description: - Destination IP address or subnet address. - CIDR notation. type: str dst_port: description: - Destination port or port range. type: str ip_version: description: - Internet protocol version. - Leave away to filter both protocols. Note that in that case, none of O(rules.input[].dst_ip), O(rules.input[].src_ip), or O(rules.input[].protocol) can be specified. type: str name: description: - Name of the firewall rule. - Note that Hetzner restricts the characters that can be used for rule names. At the moment, only letters C(a-z), C(A-Z), space, and the symbols C(.), C(-), C(+), C(_), and C(@) are allowed. type: str protocol: description: - Protocol above IP layer. type: str src_ip: description: - Source IP address or subnet address. - CIDR notation. type: str src_port: description: - Source port or port range. type: str tcp_flags: description: - TCP flags or logical combination of flags. - Flags supported by Hetzner are V(syn), V(fin), V(rst), V(psh) and V(urg). - They can be combined with V(|) (logical or) and V(&) (logical and). - See L(the documentation,https://wiki.hetzner.de/index.php/Robot_Firewall/en#Parameter) for more information. type: str type: list output: description: - Output firewall rules. elements: dict suboptions: action: choices: - accept - discard description: - Action if rule matches. required: true type: str dst_ip: description: - Destination IP address or subnet address. - CIDR notation. type: str dst_port: description: - Destination port or port range. type: str ip_version: description: - Internet protocol version. - Leave away to filter both protocols. Note that in that case, none of O(rules.output[].dst_ip), O(rules.output[].src_ip), or O(rules.output[].protocol) can be specified. type: str name: description: - Name of the firewall rule. - Note that Hetzner restricts the characters that can be used for rule names. At the moment, only letters C(a-z), C(A-Z), space, and the symbols C(.), C(-), C(+), C(_), and C(@) are allowed. type: str protocol: description: - Protocol above IP layer. type: str src_ip: description: - Source IP address or subnet address. - CIDR notation. type: str src_port: description: - Source port or port range. type: str tcp_flags: description: - TCP flags or logical combination of flags. - Flags supported by Hetzner are V(syn), V(fin), V(rst), V(psh) and V(urg). - They can be combined with V(|) (logical or) and V(&) (logical and). - See L(the documentation,https://wiki.hetzner.de/index.php/Robot_Firewall/en#Parameter) for more information. type: str type: list version_added: 1.8.0 version_added_collection: community.hrobot type: dict state: choices: - present - absent default: present description: - Status of the firewall. - Firewall is active if state is V(present), and disabled if state is V(absent). type: str timeout: default: 180 description: - Timeout (in seconds) for waiting for firewall to be configured. type: int server_ip: description: - The server's main IP address. - Exactly one of O(server_ip) and O(server_number) must be specified. - Note that Hetzner deprecated identifying the server's firewall by the server's main IP. Using this option can thus stop working at any time in the future. Use O(server_number) instead. type: str wait_delay: default: 10 description: - Delay to wait (in seconds) before checking again whether the firewall has been configured. type: int filter_ipv6: description: - Whether to filter IPv6 traffic as well. - IPv4 traffic is always filtered, IPv6 traffic filtering needs to be explicitly enabled. type: bool version_added: 1.8.0 version_added_collection: community.hrobot hetzner_user: description: The username for the Robot webservice user. required: true type: str allowlist_hos: aliases: - whitelist_hos description: - Whether Hetzner services have access. type: bool server_number: description: - The server's number. - Exactly one of O(server_ip) and O(server_number) must be specified. type: int version_added: 1.8.0 version_added_collection: community.hrobot update_timeout: default: 30 description: - Timeout to use when configuring the firewall. - Note that the API call returns before the firewall has been successfully set up. type: int hetzner_password: description: The password for the Robot webservice user. required: true type: str wait_for_configured: default: true description: - Whether to wait until the firewall has been successfully configured before determining what to do, and before returning from the module. - The API returns status C(in progress) when the firewall is currently being configured. If this happens, the module will try again until the status changes to C(active) or C(disabled). - Please note that there is a request limit. If you have to do multiple updates, it can be better to disable waiting, and regularly use M(community.hrobot.firewall_info) to query status. type: bool
firewall: contains: allowlist_hos: description: - Whether Hetzner services have access. sample: true type: bool version_added: 1.2.0 version_added_collection: community.hrobot port: description: - Switch port of firewall. - V(main) or V(kvm). sample: main type: str rules: contains: input: contains: action: choices: - accept - discard description: - Action if rule matches. - V(accept) or V(discard). sample: accept type: str dst_ip: description: - Destination IP address or subnet address. - CIDR notation. sample: 1.2.3.4/32 type: str dst_port: description: - Destination port or port range. sample: '443' type: str ip_version: description: - Internet protocol version. - No value means the rule applies both to IPv4 and IPv6. sample: ipv4 type: str name: description: - Name of the firewall rule. sample: Allow HTTP access to server type: str protocol: description: - Protocol above IP layer. sample: tcp type: str src_ip: description: - Source IP address or subnet address. - CIDR notation. sample: null type: str src_port: description: - Source port or port range. sample: null type: str tcp_flags: description: - TCP flags or logical combination of flags. sample: null type: str description: - Input firewall rules. elements: dict type: list output: contains: action: choices: - accept - discard description: - Action if rule matches. - V(accept) or V(discard). sample: accept type: str dst_ip: description: - Destination IP address or subnet address. - CIDR notation. sample: 1.2.3.4/32 type: str dst_port: description: - Destination port or port range. sample: '443' type: str ip_version: description: - Internet protocol version. - No value means the rule applies both to IPv4 and IPv6. sample: null type: str name: description: - Name of the firewall rule. sample: Allow HTTP access to server type: str protocol: description: - Protocol above IP layer. sample: tcp type: str src_ip: description: - Source IP address or subnet address. - CIDR notation. sample: null type: str src_port: description: - Source port or port range. sample: null type: str tcp_flags: description: - TCP flags or logical combination of flags. sample: null type: str description: - Output firewall rules. elements: dict type: list description: - Firewall rules. type: dict server_ip: description: - Server's main IP address. sample: 1.2.3.4 type: str server_number: description: - Hetzner's internal server number. sample: 12345 type: int status: description: - Status of the firewall. - V(active) or V(disabled). - Will be V(in process) if the firewall is currently updated, and O(wait_for_configured) is set to V(false) or O(timeout) to a too small value. sample: active type: str whitelist_hos: description: - Whether Hetzner services have access. - Old name of return value V(allowlist_hos), will be removed eventually. sample: true type: bool description: - The firewall configuration. returned: success type: dict