Try SpotterManage Hetzner's dedicated server firewall
Authors: Felix Fontein (@felixfontein)
Install with ansible-galaxy collection install community.hrobot:==1.9.1
collections:
- name: community.hrobot
version: 1.9.1Manage Hetzner's dedicated server firewall.
Note that idempotency check for TCP flags simply compares strings and doesn't try to interpret the rules. This might change in the future.
- name: Configure firewall for server with main IP 1.2.3.4
community.hrobot.firewall:
hetzner_user: foo
hetzner_password: bar
server_ip: 1.2.3.4
state: present
filter_ipv6: true
allowlist_hos: true
rules:
input:
- name: Allow ICMP protocol
# This is needed so you can ping your server
ip_version: ipv4
protocol: icmp
action: accept
# Note that it is not possible to disable ICMP for IPv6
# (https://robot.hetzner.com/doc/webservice/en.html#post-firewall-server-id)
- name: Allow responses to incoming TCP connections
protocol: tcp
dst_port: '32768-65535'
tcp_flags: ack
action: accept
- name: Allow restricted access from some known IPv4 addresses
# Allow everything to ports 20-23 from 4.3.2.1/24 (IPv4 only)
ip_version: ipv4
src_ip: 4.3.2.1/24
dst_port: '20-23'
action: accept
- name: Allow everything to port 443
dst_port: '443'
action: accept
- name: Drop everything else
action: discard
output:
- name: Accept everything
action: accept
register: result
- ansible.builtin.debug:
msg: "{{ result }}"
port:
choices:
- main
- kvm
default: main
description:
- Switch port of firewall.
type: str
rules:
description:
- Firewall rules.
suboptions:
input:
description:
- Input firewall rules.
elements: dict
suboptions:
action:
choices:
- accept
- discard
description:
- Action if rule matches.
required: true
type: str
dst_ip:
description:
- Destination IP address or subnet address.
- CIDR notation.
type: str
dst_port:
description:
- Destination port or port range.
type: str
ip_version:
description:
- Internet protocol version.
- Leave away to filter both protocols. Note that in that case, none of O(rules.input[].dst_ip),
O(rules.input[].src_ip), or O(rules.input[].protocol) can be specified.
type: str
name:
description:
- Name of the firewall rule.
- Note that Hetzner restricts the characters that can be used for rule names.
At the moment, only letters C(a-z), C(A-Z), space, and the symbols C(.),
C(-), C(+), C(_), and C(@) are allowed.
type: str
protocol:
description:
- Protocol above IP layer.
type: str
src_ip:
description:
- Source IP address or subnet address.
- CIDR notation.
type: str
src_port:
description:
- Source port or port range.
type: str
tcp_flags:
description:
- TCP flags or logical combination of flags.
- Flags supported by Hetzner are V(syn), V(fin), V(rst), V(psh) and V(urg).
- They can be combined with V(|) (logical or) and V(&) (logical and).
- See L(the documentation,https://wiki.hetzner.de/index.php/Robot_Firewall/en#Parameter)
for more information.
type: str
type: list
output:
description:
- Output firewall rules.
elements: dict
suboptions:
action:
choices:
- accept
- discard
description:
- Action if rule matches.
required: true
type: str
dst_ip:
description:
- Destination IP address or subnet address.
- CIDR notation.
type: str
dst_port:
description:
- Destination port or port range.
type: str
ip_version:
description:
- Internet protocol version.
- Leave away to filter both protocols. Note that in that case, none of O(rules.output[].dst_ip),
O(rules.output[].src_ip), or O(rules.output[].protocol) can be specified.
type: str
name:
description:
- Name of the firewall rule.
- Note that Hetzner restricts the characters that can be used for rule names.
At the moment, only letters C(a-z), C(A-Z), space, and the symbols C(.),
C(-), C(+), C(_), and C(@) are allowed.
type: str
protocol:
description:
- Protocol above IP layer.
type: str
src_ip:
description:
- Source IP address or subnet address.
- CIDR notation.
type: str
src_port:
description:
- Source port or port range.
type: str
tcp_flags:
description:
- TCP flags or logical combination of flags.
- Flags supported by Hetzner are V(syn), V(fin), V(rst), V(psh) and V(urg).
- They can be combined with V(|) (logical or) and V(&) (logical and).
- See L(the documentation,https://wiki.hetzner.de/index.php/Robot_Firewall/en#Parameter)
for more information.
type: str
type: list
version_added: 1.8.0
version_added_collection: community.hrobot
type: dict
state:
choices:
- present
- absent
default: present
description:
- Status of the firewall.
- Firewall is active if state is V(present), and disabled if state is V(absent).
type: str
timeout:
default: 180
description:
- Timeout (in seconds) for waiting for firewall to be configured.
type: int
server_ip:
description:
- The server's main IP address.
- Exactly one of O(server_ip) and O(server_number) must be specified.
- Note that Hetzner deprecated identifying the server's firewall by the server's main
IP. Using this option can thus stop working at any time in the future. Use O(server_number)
instead.
type: str
wait_delay:
default: 10
description:
- Delay to wait (in seconds) before checking again whether the firewall has been configured.
type: int
filter_ipv6:
description:
- Whether to filter IPv6 traffic as well.
- IPv4 traffic is always filtered, IPv6 traffic filtering needs to be explicitly enabled.
type: bool
version_added: 1.8.0
version_added_collection: community.hrobot
hetzner_user:
description: The username for the Robot webservice user.
required: true
type: str
allowlist_hos:
aliases:
- whitelist_hos
description:
- Whether Hetzner services have access.
type: bool
server_number:
description:
- The server's number.
- Exactly one of O(server_ip) and O(server_number) must be specified.
type: int
version_added: 1.8.0
version_added_collection: community.hrobot
update_timeout:
default: 30
description:
- Timeout to use when configuring the firewall.
- Note that the API call returns before the firewall has been successfully set up.
type: int
hetzner_password:
description: The password for the Robot webservice user.
required: true
type: str
wait_for_configured:
default: true
description:
- Whether to wait until the firewall has been successfully configured before determining
what to do, and before returning from the module.
- The API returns status C(in progress) when the firewall is currently being configured.
If this happens, the module will try again until the status changes to C(active)
or C(disabled).
- Please note that there is a request limit. If you have to do multiple updates, it
can be better to disable waiting, and regularly use M(community.hrobot.firewall_info)
to query status.
type: bool
firewall:
contains:
allowlist_hos:
description:
- Whether Hetzner services have access.
sample: true
type: bool
version_added: 1.2.0
version_added_collection: community.hrobot
port:
description:
- Switch port of firewall.
- V(main) or V(kvm).
sample: main
type: str
rules:
contains:
input:
contains:
action:
choices:
- accept
- discard
description:
- Action if rule matches.
- V(accept) or V(discard).
sample: accept
type: str
dst_ip:
description:
- Destination IP address or subnet address.
- CIDR notation.
sample: 1.2.3.4/32
type: str
dst_port:
description:
- Destination port or port range.
sample: '443'
type: str
ip_version:
description:
- Internet protocol version.
- No value means the rule applies both to IPv4 and IPv6.
sample: ipv4
type: str
name:
description:
- Name of the firewall rule.
sample: Allow HTTP access to server
type: str
protocol:
description:
- Protocol above IP layer.
sample: tcp
type: str
src_ip:
description:
- Source IP address or subnet address.
- CIDR notation.
sample: null
type: str
src_port:
description:
- Source port or port range.
sample: null
type: str
tcp_flags:
description:
- TCP flags or logical combination of flags.
sample: null
type: str
description:
- Input firewall rules.
elements: dict
type: list
output:
contains:
action:
choices:
- accept
- discard
description:
- Action if rule matches.
- V(accept) or V(discard).
sample: accept
type: str
dst_ip:
description:
- Destination IP address or subnet address.
- CIDR notation.
sample: 1.2.3.4/32
type: str
dst_port:
description:
- Destination port or port range.
sample: '443'
type: str
ip_version:
description:
- Internet protocol version.
- No value means the rule applies both to IPv4 and IPv6.
sample: null
type: str
name:
description:
- Name of the firewall rule.
sample: Allow HTTP access to server
type: str
protocol:
description:
- Protocol above IP layer.
sample: tcp
type: str
src_ip:
description:
- Source IP address or subnet address.
- CIDR notation.
sample: null
type: str
src_port:
description:
- Source port or port range.
sample: null
type: str
tcp_flags:
description:
- TCP flags or logical combination of flags.
sample: null
type: str
description:
- Output firewall rules.
elements: dict
type: list
description:
- Firewall rules.
type: dict
server_ip:
description:
- Server's main IP address.
sample: 1.2.3.4
type: str
server_number:
description:
- Hetzner's internal server number.
sample: 12345
type: int
status:
description:
- Status of the firewall.
- V(active) or V(disabled).
- Will be V(in process) if the firewall is currently updated, and O(wait_for_configured)
is set to V(false) or O(timeout) to a too small value.
sample: active
type: str
whitelist_hos:
description:
- Whether Hetzner services have access.
- Old name of return value V(allowlist_hos), will be removed eventually.
sample: true
type: bool
description:
- The firewall configuration.
returned: success
type: dict