community.proxmox.proxmox_cluster_firewall module – Cluster-level firewall options management for Proxmox VE cluster

Note

This module is part of the community.proxmox collection (version 2.0.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.proxmox. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.proxmox.proxmox_cluster_firewall.

New in community.proxmox 2.0.0

Synopsis

• Manage firewall options at the cluster level in Proxmox VE.

• Enable or disable the firewall cluster-wide, set default policies, ebtables, and log ratelimiting.

Requirements

The below requirements are needed on the host that executes this module.

• proxmoxer >= 2.3

• requests

Parameters

Parameter	Comments
api_host string / required	Specify the target host of the Proxmox VE cluster. Uses the PROXMOX_HOST environment variable if not specified.
api_otp string	Specify the OTP. Uses the PROXMOX_OTP environment variable if not specified.
api_password string	Specify the password to authenticate with. Uses the PROXMOX_PASSWORD environment variable if not specified.
api_port integer	Specify the target port of the Proxmox VE cluster. Uses the PROXMOX_PORT environment variable if not specified.
api_timeout integer	Time limit for requests towards the Proxmox VE API. Default: 5
api_token_id string	Specify the token ID. Uses the PROXMOX_TOKEN_ID environment variable if not specified.
api_token_secret string	Specify the token secret. Uses the PROXMOX_TOKEN_SECRET environment variable if not specified.
api_user string / required	Specify the user to authenticate with. Uses the PROXMOX_USER environment variable if not specified.
ca_path path	Path to a local certificate, which will be used to verify TLS connections. Ignored if validate_certs=false.
ebtables boolean	Enable ebtables rules cluster-wide. Choices: false true ← (default)
forward_policy string	Default policy for forwarded traffic. Choices: "ACCEPT" ← (default) "DROP"
input_policy string	Default policy for incoming traffic. Choices: "ACCEPT" "REJECT" "DROP" ← (default)
log_ratelimit dictionary	Log ratelimiting settings.
burst integer	Initial burst of packages which will always get logged before the rate is applied. Default: 5
enabled boolean	Enable or disable log ratelimiting. Choices: false true ← (default)
rate string	Frequency with which the burst bucket gets refilled. Must match the pattern [1-9][0-9]*/(second|minute|hour|day), e.g. 1/second. Default: "1/second"
output_policy string	Default policy for outgoing traffic. Choices: "ACCEPT" ← (default) "REJECT" "DROP"
state string	Enable or disable the firewall cluster-wide. Choices: "enabled" "disabled" ← (default)
validate_certs boolean	Validate the TLS certificates used for the connection to the Proxmox VE API. May be set through the environment variable PROXMOX_VALIDATE_CERTS. Choices: false true ← (default)

Attributes

Attribute	Support	Description
action_group	Action group: community.proxmox.proxmox	Use group/community.proxmox.proxmox in module_defaults to set defaults for this module.
check_mode	Support: full	Can run in check_mode and return changed status prediction without modifying target.
diff_mode	Support: none	Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

See Also

See also

Proxmox VE Firewall configuration

Complete reference of Proxmox VE Firewall

Proxmox VE cluster-wide configuration

Complete reference of Proxmox VE Firewall

Authentication

Complete guide for the Proxmox API authentication

Examples

- name: Set cluster-wide firewall options
  community.proxmox.proxmox_cluster_firewall:
    state: enabled
    ebtables: true
    input_policy: DROP
    output_policy: ACCEPT
    forward_policy: ACCEPT
    log_ratelimit:
      enabled: false
      burst: 10
      rate: 5/second

- name: Block ingress and allow egress traffic
  community.proxmox.proxmox_cluster_firewall:
    state: enabled
    ebtables: true
    input_policy: DROP
    output_policy: ACCEPT
    forward_policy: ACCEPT

- name: Set cluster-wide firewall ratelimiting options
  community.proxmox.proxmox_cluster_firewall:
    state: enabled
    ebtables: true
    log_ratelimit:
      enabled: false
      burst: 10
      rate: 5/second

- name: Disable cluster-wide firewall
  community.proxmox.proxmox_cluster_firewall:
    state: disabled

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
ebtables boolean	Whether ebtables is enabled cluster-wide. Returned: on success Sample: false
enabled boolean	Whether the firewall is enabled cluster-wide. Returned: on success Sample: true
forward_policy string	Default policy for forwarded traffic. Returned: on success Sample: "ACCEPT"
input_policy string	Default policy for incoming traffic. Returned: on success Sample: "DROP"
log_ratelimit dictionary	Log ratelimiting settings (when present in cluster options). Returned: on success Sample: {"burst": 5, "enabled": true, "rate": "1/second"}
msg string	A short message on what the module did. Returned: always Sample: "Cluster firewall options updated"
output_policy string	Default policy for outgoing traffic. Returned: on success Sample: "ACCEPT"

Authors

• Clément Cruau (@PendaGTP)

Collection links

• Issue Tracker
• Repository (Sources)
• Report an issue
• Communication