#!/usr/bin/env ansible-playbook --- - hosts: - infra-1.back.infra.auro.re - infra-2.back.infra.auro.re vars: firewall__zones: adm-legacy: addrs: - 2a09:6840:128::/64 - 10.128.0.0/16 ups: addrs: - 2a09:6840:201::/64 - 10.201.0.0/16 edge: addrs: - 2a09:6840:202::/64 - 10.202.0.0/16 core: addrs: - 2a09:6840:203::/64 - 10.203.0.0/16 monit: addrs: - 2a09:6840:204::/64 - 10.204.0.0/16 wifi: addrs: - 2a09:6840:205::/64 - 10.205.0.0/16 int: addrs: - 2a09:6840:206::/64 - 10.206.0.0/16 sw: addrs: - 2a09:6840:207::/64 - 10.207.0.0/16 bmc: addrs: - 2a09:6840:208::/64 - 10.208.0.0/16 pve: addrs: - 2a09:6840:209::/64 - 10.209.0.0/16 isp: addrs: - 2a09:6840:210::/64 - 10.210.0.0/16 ext: addrs: - 2a09:6840:211::/64 - 45.66.111.0/24 - 10.211.0.0/16 vpn-clients: addrs: - 2a09:6840:212::/64 - 10.212.0.0/16 vpn: addrs: - 2a09:6840:213::/64 - 10.213.0.0/16 infra: zones: - adm-legacy - ups - core - edge - monit - wifi - int - sw - bmc - pve - isp - ext - vpn internet: negate: true addrs: - 2a09:6840::/32 - 2a09:6841::/32 - 2a09:6842::/32 - 45.66.108.0/22 - 10.0.0.0/8 - 100.64.0.0/10 firewall__input: - verdict: accept firewall__output: - verdict: accept firewall__forward: - src: vpn-clients dst: infra verdict: accept - src: infra # FIXME: temporary dst: internet verdict: accept - src: monit dst: bmc protocols: icmp: true verdict: accept - src: adm-legacy dst: bmc verdict: accept - dst: - 2a09:6840:211::204 - 45.66.111.204 protocols: udp: dport: 5121 verdict: accept firewall__nat: - src: 10.0.0.0/8 dst: internet protocols: null snat: addr: 45.66.111.200/32 roles: - firewall ...