community.hrobot.firewall module – Manage Hetzner’s dedicated server firewall
Note
This module is part of the community.hrobot collection (version 2.0.1).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.hrobot
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.hrobot.firewall
.
Synopsis
Manage Hetzner’s dedicated server firewall.
Note that idempotency check for TCP flags simply compares strings and doesn’t try to interpret the rules. This might change in the future.
Requirements
The below requirements are needed on the host that executes this module.
ipaddress
Parameters
Parameter |
Comments |
---|---|
Whether Hetzner services have access. Choices:
|
|
Whether to filter IPv6 traffic as well. IPv4 traffic is always filtered, IPv6 traffic filtering needs to be explicitly enabled. Choices:
|
|
The password for the Robot web-service user. |
|
The username for the Robot web-service user. |
|
Switch port of firewall. Choices:
|
|
Firewall rules. |
|
Input firewall rules. |
|
Action if rule matches. Choices:
|
|
Destination IP address or subnet address. CIDR notation. |
|
Destination port or port range. |
|
Internet protocol version. Leave away to filter both protocols. Note that in that case, none of |
|
Name of the firewall rule. Note that Hetzner restricts the characters that can be used for rule names. At the moment, only letters |
|
Protocol above IP layer. |
|
Source IP address or subnet address. CIDR notation. |
|
Source port or port range. |
|
TCP flags or logical combination of flags. Flags supported by Hetzner are They can be combined with See the documentation for more information. |
|
Output firewall rules. |
|
Action if rule matches. Choices:
|
|
Destination IP address or subnet address. CIDR notation. |
|
Destination port or port range. |
|
Internet protocol version. Leave away to filter both protocols. Note that in that case, none of |
|
Name of the firewall rule. Note that Hetzner restricts the characters that can be used for rule names. At the moment, only letters |
|
Protocol above IP layer. |
|
Source IP address or subnet address. CIDR notation. |
|
Source port or port range. |
|
TCP flags or logical combination of flags. Flags supported by Hetzner are They can be combined with See the documentation for more information. |
|
The server’s main IP address. Exactly one of Note that Hetzner deprecated identifying the server’s firewall by the server’s main IP. Using this option can thus stop working at any time in the future. Use |
|
The server’s number. Exactly one of |
|
Status of the firewall. Firewall is active if state is Choices:
|
|
Timeout (in seconds) for waiting for firewall to be configured. Default: |
|
Timeout to use when configuring the firewall. Note that the API call returns before the firewall has been successfully set up. Default: |
|
Delay to wait (in seconds) before checking again whether the firewall has been configured. Default: |
|
Whether to wait until the firewall has been successfully configured before determining what to do, and before returning from the module. The API returns status Please note that there is a request limit. If you have to do multiple updates, it can be better to disable waiting, and regularly use community.hrobot.firewall_info to query status. Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Action group: community.hrobot.robot added in community.hrobot 1.6.0 |
Use |
|
Support: full |
Can run in |
|
Support: full |
Will return details on what has changed (or possibly needs changing in |
See Also
See also
- Firewall documentation
Hetzner’s documentation on the stateless firewall for dedicated servers
- community.hrobot.firewall_info
Retrieve information on firewall configuration.
Examples
- name: Configure firewall for server with main IP 1.2.3.4
community.hrobot.firewall:
hetzner_user: foo
hetzner_password: bar
server_ip: 1.2.3.4
state: present
filter_ipv6: true
allowlist_hos: true
rules:
input:
- name: Allow ICMP protocol
# This is needed so you can ping your server
ip_version: ipv4
protocol: icmp
action: accept
# Note that it is not possible to disable ICMP for IPv6
# (https://robot.hetzner.com/doc/webservice/en.html#post-firewall-server-id)
- name: Allow responses to incoming TCP connections
protocol: tcp
dst_port: '32768-65535'
tcp_flags: ack
action: accept
- name: Allow restricted access from some known IPv4 addresses
# Allow everything to ports 20-23 from 4.3.2.1/24 (IPv4 only)
ip_version: ipv4
src_ip: 4.3.2.1/24
dst_port: '20-23'
action: accept
- name: Allow everything to port 443
dst_port: '443'
action: accept
- name: Drop everything else
action: discard
output:
- name: Accept everything
action: accept
register: result
- ansible.builtin.debug:
msg: "{{ result }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The firewall configuration. Returned: success |
|
Whether Hetzner services have access. Returned: success Sample: |
|
Switch port of firewall.
Returned: success Sample: |
|
Firewall rules. Returned: success |
|
Input firewall rules. Returned: success |
|
Action if rule matches.
Returned: success Can only return:
Sample: |
|
Destination IP address or subnet address. CIDR notation. Returned: success Sample: |
|
Destination port or port range. Returned: success Sample: |
|
Internet protocol version. No value means the rule applies both to IPv4 and IPv6. Returned: success Sample: |
|
Name of the firewall rule. Returned: success Sample: |
|
Protocol above IP layer. Returned: success Sample: |
|
Source IP address or subnet address. CIDR notation. Returned: success |
|
Source port or port range. Returned: success |
|
TCP flags or logical combination of flags. Returned: success |
|
Output firewall rules. Returned: success |
|
Action if rule matches.
Returned: success Can only return:
Sample: |
|
Destination IP address or subnet address. CIDR notation. Returned: success Sample: |
|
Destination port or port range. Returned: success Sample: |
|
Internet protocol version. No value means the rule applies both to IPv4 and IPv6. Returned: success |
|
Name of the firewall rule. Returned: success Sample: |
|
Protocol above IP layer. Returned: success Sample: |
|
Source IP address or subnet address. CIDR notation. Returned: success |
|
Source port or port range. Returned: success |
|
TCP flags or logical combination of flags. Returned: success |
|
Server’s main IP address. Returned: success Sample: |
|
Hetzner’s internal server number. Returned: success Sample: |
|
Status of the firewall.
Will be Returned: success Sample: |
|
Whether Hetzner services have access. Old name of return value Returned: success Sample: |