ferm is a wrapper around iptables command which lets you manage host firewall in an easy and Ansible-friendly way. This role can be used to setup firewall rules directly from inventory, or it can be used as a dependency by other roles to setup firewall rules for other services.


This role requires at least Ansible v1.7.0. To install it, run:

ansible-galaxy install debops.ferm

Role variables

List of default variables available in the inventory:


# Enable or disable iptables management
ferm: True

# List of iptables domains enabled in main ferm firewall
# Currently supported domains:
#   - 'ip'  - enables IPv4 support (iptables)
#   - 'ip6' - enables IPv6 support (ip6tables)
ferm_filter_domains: [ 'ip', 'ip6' ]

# Optional list of CIDR hosts which are not included in ssh port recent filter
# and won't be blocked by the firewall in case of too many connections.
# Entries are saved in the local facts on remote hosts.
# Remember to specify IP address from the remote host point of view.
# Format: "IP address/netmask", for example: ''
ferm_ansible_controllers: []

# Comment added at the beginning of iptables, set to False to disable
ferm_comment: 'Generated by ferm - /etc/ferm/ferm.conf'

# Default iptables policy for INPUT, OUTPUT and FORWARD chains
ferm_default_policy_input: 'DROP'
ferm_default_policy_output: 'ACCEPT'
ferm_default_policy_forward: 'DROP'

# Mark packets on invalid ports as bad guys (block port scanning)
ferm_mark_portscan: False

# List of iptables INPUT rules to manage, many variables can be found in
# template files, located in templates/etc/ferm/filter-input.d/ directory.
# Additional variables are described below.
ferm_input_list: []
ferm_input_group_list: []
ferm_input_host_list: []

  #- type: ''             # name of template file to use, required
                          #   format: <type>.conf.j2
  #  dport: []            # list of destination ports to manage, required
  #  weight: '10'         # helps with file sorting in rule directory, optional
  #  filename: ''         # custom filename instead of a generated one, optional
  #  delete: False/True   # delete specified rule file, optional

Authors and license

debops.ferm role was written by:

License: GPLv3