community.proxmox.proxmox_firewall module – Manage firewall rules in Proxmox

Note

This module is part of the community.proxmox collection (version 1.4.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.proxmox. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.proxmox.proxmox_firewall.

New in community.proxmox 1.4.0

Synopsis

  • create/update/delete FW rules at cluster/group/vnet/node/vm level

  • Create/delete firewall security groups

  • Create/delete aliases

Requirements

The below requirements are needed on the host that executes this module.

  • proxmoxer >= 2.0

  • requests

Parameters

Parameter

Comments

aliases

list / elements=dictionary

List of aliases.

Alias can only be created/updated/deleted at cluster or VM level.

cidr

string

CIDR for alias.

Only needed when state=present or state=update.

comment

string

Comment for alias.

name

string / required

Alias name.

api_host

string / required

Specify the target host of the Proxmox VE cluster.

Uses the PROXMOX_HOST environment variable if not specified.

api_password

string

Specify the password to authenticate with.

Uses the PROXMOX_PASSWORD environment variable if not specified.

api_port

integer

Specify the target port of the Proxmox VE cluster.

Uses the PROXMOX_PORT environment variable if not specified.

api_token_id

string

Specify the token ID.

Uses the PROXMOX_TOKEN_ID environment variable if not specified.

api_token_secret

string

Specify the token secret.

Uses the PROXMOX_TOKEN_SECRET environment variable if not specified.

api_user

string / required

Specify the user to authenticate with.

Uses the PROXMOX_USER environment variable if not specified.

comment

string

Comment for security group.

Only needed when creating group.

group

string

Name of the group to which the rule belongs.

Only needed when level=group or group_conf=true.

group_conf

boolean

Whether security group should be created or deleted.

Choices:

  • false ← (default)

  • true

ip_sets

list / elements=dictionary

List of IP set definitions to create, update, or remove.

Each IP set is a named collection of CIDRs (with optional negation and comments).

cidrs

list / elements=dictionary

List of CIDR entries in the IP set.

cidr

string / required

CIDR notation for the entry.

comment

string

Optional comment for this CIDR entry.

nomatch

boolean

When true, this CIDR acts as a negative match (exclusion) within the set.

Choices:

  • false ← (default)

  • true

comment

string

Optional comment for the IP set.

name

string / required

Unique name of the IP set.

level

string

Level at which the firewall rule applies.

Choices:

  • "cluster" ← (default)

  • "group"

  • "vnet"

  • "node"

  • "vm"

node

string

Name of the node.

Only needed when level=node.

pos

integer

Position of the rule in the list.

Only needed if state=absent.

rules

list / elements=dictionary

List of individual rules to be applied.

action

string / required

Rule action (‘ACCEPT’, ‘DROP’, ‘REJECT’) or security group name.

comment

string

Optional comment for the specific rule.

dest

string

Restrict packet destination address.

This can refer to a single IP address, an IP set (‘+ipsetname’) or an IP alias definition.

You can also specify an address range like ‘20.34.101.207-201.3.9.99’, or a list of IP addresses and networks (entries are separated by comma).

Please do not mix IPv4 and IPv6 addresses inside such lists.

digest

string

Prevent changes if current configuration file has a different digest.

This can be used to prevent concurrent modifications.

If not provided we will calculate at runtime.

dport

string

Restrict TCP/UDP destination port.

You can use service names or simple numbers (0-65535), as defined in ‘/etc/services’.

Port ranges can be specified with ‘\d+:\d+’, for example ‘80:85’, and you can use comma separated list to match several ports or ranges.

enable

boolean

Enable or disable the rule.

Choices:

  • false

  • true

icmp_type

string

Specify icmp-type. Only valid if proto equals ‘icmp’ or ‘icmpv6’/’ipv6-icmp’.

iface

string

Network interface name. You have to use network configuration key names for VMs and containers (‘net\d+’).

Host related rules can use arbitrary strings.

log

string

Logging level for the rule.

Choices:

  • "emerg"

  • "alert"

  • "crit"

  • "err"

  • "warning"

  • "notice"

  • "info"

  • "debug"

  • "nolog"

macro

string

Use predefined standard macro.

pos

integer / required

Position of the rule in the list.

proto

string

IP protocol. You can use protocol names (‘tcp’/’udp’) or simple numbers, as defined in ‘/etc/protocols’.

source

string

Restrict packet source address.

This can refer to a single IP address, an IP set (‘+ipsetname’) or an IP alias definition.

You can also specify an address range like ‘20.34.101.207-201.3.9.99’, or a list of IP addresses and networks (entries are separated by comma).

Please do not mix IPv4 and IPv6 addresses inside such lists.

sport

string

Restrict TCP/UDP source port.

You can use service names or simple numbers (0-65535), as defined in ‘/etc/services’.

Port ranges can be specified with ‘\d+:\d+’, for example ‘80:85’, and you can use comma separated list to match several ports or ranges.

type

string / required

Rule type.

Choices:

  • "in"

  • "out"

  • "forward"

  • "group"

state

string

Create/update/delete firewall rules or security group.

Choices:

  • "present" ← (default)

  • "absent"

update

boolean

If state=present and if one or more rule/alias/ipset already exists it will update them.

Choices:

  • false

  • true ← (default)

validate_certs

boolean

If false, SSL certificates will not be validated.

This should only be used on personally controlled sites using self-signed certificates.

Uses the PROXMOX_VALIDATE_CERTS environment variable if not specified.

Choices:

  • false ← (default)

  • true

vmid

integer

ID of the VM to which the rule applies.

Only needed when level=vm.

vnet

string

Name of the virtual network for the rule.

Only needed when level=vnet.

Attributes

Attribute

Support

Description

action_group

Action group: community.proxmox.proxmox

Use group/community.proxmox.proxmox in module_defaults to set defaults for this module.

check_mode

Support: none

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Examples

- name: Create firewall rules at cluster level
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    level: cluster
    state: present
    rules:
      - type: out
        action: ACCEPT
        source: 1.1.1.1
        log: nolog
        pos: 9
        enable: true
      - type: out
        action: ACCEPT
        source: 1.0.0.1
        pos: 10
        enable: true

- name: Update Cluster level firewall rules
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    level: cluster
    state: present
    update: true
    rules:
      - type: out
        action: ACCEPT
        source: 8.8.8.8
        log: nolog
        pos: 9
        enable: false
      - type: out
        action: ACCEPT
        source: 8.8.4.4
        pos: 10
        enable: false

- name: Delete cluster level firewall rule at pos 10
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    level: cluster
    state: absent
    pos: 10

- name: Create security group
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    group_conf: true
    state: present
    group: test

- name: Delete security group
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    group_conf: true
    state: absent
    group: test

- name: Create FW aliases
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    state: present
    aliases:
      - name: test1
        cidr: '10.10.1.0/24'
      - name: test2
        cidr: '10.10.2.0/24'

- name: Update FW aliases
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    state: present
    update: true
    aliases:
      - name: test1
        cidr: '10.10.1.0/28'
      - name: test2
        cidr: '10.10.2.0/28'

- name: Delete FW aliases
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    state: absent
    aliases:
      - name: test1
      - name: test2

- name: Create IP SET
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    ip_sets:
      - name: hypervisors
        comment: PVE hosts
        cidrs:
          - cidr: 192.168.1.10
            nomatch: false
            comment: Proxmox pve-01
          - cidr: 192.168.1.11
            nomatch: true
            comment: Proxmox pve-02
      - name: test
        comment: PVE hosts
        cidrs:
          - cidr: 10.10.1.0
            comment: Proxmox pve-01

- name: Delete IP SETs
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    state: absent
    ip_sets:
      - name: hypervisors

- name: Delete specific CIDR from IP SET
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    state: absent
    ip_sets:
      - name: test
        cidrs:
          - cidr: 10.10.1.0

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

group

string

group name which was created/deleted

Returned: on success

Sample: "test"

Authors

  • Jana Hoch