community.proxmox.proxmox_node_firewall module – Node-level firewall options management for Proxmox VE cluster

Note

This module is part of the community.proxmox collection (version 2.0.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.proxmox. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.proxmox.proxmox_node_firewall.

New in community.proxmox 2.0.0

Synopsis

  • Manage firewall options at the node level in Proxmox VE.

Requirements

The below requirements are needed on the host that executes this module.

  • proxmoxer >= 2.3

  • requests

Parameters

Parameter

Comments

api_host

string / required

Specify the target host of the Proxmox VE cluster.

Uses the PROXMOX_HOST environment variable if not specified.

api_otp

string

Specify the OTP.

Uses the PROXMOX_OTP environment variable if not specified.

api_password

string

Specify the password to authenticate with.

Uses the PROXMOX_PASSWORD environment variable if not specified.

api_port

integer

Specify the target port of the Proxmox VE cluster.

Uses the PROXMOX_PORT environment variable if not specified.

api_timeout

integer

Time limit for requests towards the Proxmox VE API.

Default: 5

api_token_id

string

Specify the token ID.

Uses the PROXMOX_TOKEN_ID environment variable if not specified.

api_token_secret

string

Specify the token secret.

Uses the PROXMOX_TOKEN_SECRET environment variable if not specified.

api_user

string / required

Specify the user to authenticate with.

Uses the PROXMOX_USER environment variable if not specified.

ca_path

path

Path to a local certificate, which will be used to verify TLS connections.

Ignored if validate_certs=false.

log_level_forward

string

Log level for fowarded traffic.

Choices:

  • "emerg"

  • "alert"

  • "crit"

  • "err"

  • "warning"

  • "notice"

  • "info"

  • "debug"

  • "nolog" ← (default)

log_level_in

string

Log level for incoming traffic.

Choices:

  • "emerg"

  • "alert"

  • "crit"

  • "err"

  • "warning"

  • "notice"

  • "info"

  • "debug"

  • "nolog" ← (default)

log_level_out

string

Log level for outgoing traffic.

Choices:

  • "emerg"

  • "alert"

  • "crit"

  • "err"

  • "warning"

  • "notice"

  • "info"

  • "debug"

  • "nolog" ← (default)

ndp

boolean

Enable NDP (Neighbor Discovery Protocol).

Choices:

  • false

  • true ← (default)

nf_conntrack_allow_invalid

boolean

Allow invalid packets on connection tracking.

Choices:

  • false ← (default)

  • true

nf_conntrack_helpers

string

Enable conntrack helpers for specific protocols.

nf_conntrack_max

integer

Maximum number of tracked connections.

Minimum value is 32768.

Default: 262144

nf_conntrack_tcp_timeout_established

integer

Conntrack established timeout in seconds.

Minimum value is 7875.

Default: 432000

nf_conntrack_tcp_timeout_syn_recv

integer

Conntrack syn receive timeout.

Values between 30 - 60.

Default: 60

nftables

boolean

Enable nftables based firewall.

Choices:

  • false ← (default)

  • true

node_name

aliases: node

string / required

Name of the node to configure the firewall on.

nosmurfs

boolean

Enable SMURFS filter.

Choices:

  • false

  • true ← (default)

protection_synflood

boolean

Enable synflood protection.

Choices:

  • false ← (default)

  • true

protection_synflood_burst

integer

Synflood protection rate burst by IP source address.

Default: 1000

protection_synflood_rate

integer

Synflood protection rate syn/sec by IP source address.

Default: 200

smurf_log_level

string

Log level for SMURFS filter.

Choices:

  • "emerg"

  • "alert"

  • "crit"

  • "err"

  • "warning"

  • "notice"

  • "info"

  • "debug"

  • "nolog" ← (default)

state

string

Enable or disable the firewall node-wide.

Choices:

  • "enabled" ← (default)

  • "disabled"

tcp_flags_log_level

string

Log level for illegal TCP flags filter.

Choices:

  • "emerg"

  • "alert"

  • "crit"

  • "err"

  • "warning"

  • "notice"

  • "info"

  • "debug"

  • "nolog" ← (default)

tcpflags

boolean

Filter illegal combinations of TCP flags.

Choices:

  • false ← (default)

  • true

validate_certs

boolean

Validate the TLS certificates used for the connection to the Proxmox VE API.

May be set through the environment variable PROXMOX_VALIDATE_CERTS.

Choices:

  • false

  • true ← (default)

Attributes

Attribute

Support

Description

action_group

Action group: community.proxmox.proxmox

Use group/community.proxmox.proxmox in module_defaults to set defaults for this module.

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

See Also

See also

Proxmox VE Firewall configuration

Complete reference of Proxmox VE Firewall

Proxmox VE node-wide configuration

Complete reference of Proxmox VE Firewall host configuration

community.proxmox.proxmox_node_firewall_info

Get node-level firewall options for Proxmox VE cluster.

community.proxmox.proxmox_cluster_firewall

Cluster-level firewall options management for Proxmox VE cluster.

Authentication

Complete guide for the Proxmox API authentication

Examples

- name: Configure traffic log level
  community.proxmox.proxmox_node_firewall:
    state: enabled
    node_name: pve-001
    log_level_in: alert
    log_level_out: alert
    log_level_forward: alert

- name: Disable node-wide firewall
  community.proxmox.proxmox_node_firewall:
    state: disabled
    node_name: pve-001

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

enabled

boolean

Whether the firewall is enabled node-wide.

Returned: on success

Sample: true

log_level_forward

string

Log level setting for fowarded traffic.

Returned: on success

Sample: "no_log"

log_level_in

string

Log level setting for incoming traffic.

Returned: on success

Sample: "no_log"

log_level_out

string

Log level setting for outgoing traffic.

Returned: on success

Sample: "no_log"

msg

string

A short message on what the module did.

Returned: always

Sample: "Node firewall options updated"

ndp

boolean

Whether NDP (Neighbor Discovery Protocol) is enabled.

Returned: on success

Sample: true

nf_conntrack_allow_invalid

boolean

Whether invalid packets are allowed on connection tracking.

Returned: on success

Sample: false

nf_conntrack_helpers

string

Conntrack helpers for specific protocols.

Returned: on success

nf_conntrack_max

integer

Maximum number of tracked connections.

Returned: on success

Sample: 262144

nf_conntrack_tcp_timeout_established

integer

Conntrack established timeout in seconds.

Returned: on success

Sample: 432000

nf_conntrack_tcp_timeout_syn_recv

integer

Conntrack syn recv timeout in seconds.

Returned: on success

Sample: 60

nftables

boolean

Whether nftables based firewall is enabled.

Returned: on success

Sample: false

node_name

string

The name of the node.

Returned: on success

Sample: "pve-001"

nosmurfs

boolean

Whether SMURFS filter is enabled.

Returned: on success

Sample: true

protection_synflood

boolean

Whether synflood protection is enabled.

Returned: on success

Sample: false

protection_synflood_burst

integer

Synflood protection rate burst by IP source address.

Returned: on success

Sample: 1000

protection_synflood_rate

integer

Synflood protection rate syn/sec by IP source address.

Returned: on success

Sample: 200

smurf_log_level

string

Log level setting for SMURFS filter.

Returned: on success

tcp_flags_log_level

string

Log level setting for illegal TCP flags filter.

Returned: on success

tcpflags

boolean

Whether illegal combinations of TCP flags are filtered.

Returned: on success

Sample: false

Authors

  • Clément Cruau (@PendaGTP)