opoplawski/ ansible-pfsense
About the developer
141 Stars 
27 Forks 
GNU General Public License v3.0 
351 Commits 
11 Opened issues 
Description
Ansible modules for managing pfSense firewalls
Services available
Contributors list
Ansible-pfsense / pfsensible.core
This is a set of modules to allow you to configure pfSense firewalls with ansible.
Installation using ansible galaxy
Ansible Galaxy (as of version 2.9) now has an option for collections. A collection is a distribution format for delivering all type of Ansible content (not just roles as it was before). We have renamed the collection 'pfsensible.core' for galaxy distribution. To install:
ansible-galaxy collection install pfsensible.core
Optionally, you can specify the path of the collection installation with the
-poption.
ansible-galaxy collection install pfsensible.core -p ./collections
Additionally, you can set the
collections_pathsoption in your
ansible.cfgfile to automatically designate install locations.
# ansible.cfg [defaults] collections_paths=collections
NOTE: Changes with pfsensible.core 0.4.0
With pfsensible.core 0.4.0 we have stopped stripping the pfsense_ prefix from the module names. This caused conflicts with other modules (like the ansible core 'setup' module). You can use the 'collections' keyword in your playbooks and roles to simplify the module names instead.
Installing using ansible pre-2.9 (not galaxy)
Just checkout the repository and run your playbooks from the ansible-pfsense directory.
Configuration
Current ansible (2.9) python discovery should detect the installed python. If not, you can set in your playbook or hosts vars:
pfSense >= 2.4.5:
ansible_python_interpreter: /usr/local/bin/python3.7pfSense < 2.4.5:
ansible_python_interpreter: /usr/local/bin/python2.7
Modules must run as root in order to make changes to the system. By default pfSense does not have sudo capability so
becomewill not work. You can install it with:
- name: "Install packages"
package:
name:
- pfSense-pkg-sudo
state: present
and then configure sudo so that your user has permission to use sudo.
Modules
The following modules are currently available:
- pfsense_alias for aliases
- pfsenseauthserverldap for LDAP authentication servers
- pfsense_ca for Certificate Authorities
- pfsense_gateway for routing gateways
- pfsense_group for groups
- pfsense_interface for interfaces
- pfsense_ipsec for ipsec tunnels and phase 1 options
- pfsenseipsecproposal for ipsec proposals
- pfsenseipsecp2 for ipsec tunnels phase 2 options
- pfsensenatoutbound for outbound NAT rules
- pfsensenatport_forward for port forward NAT rules
- pfsense_route for routes
- pfsense_rule for rules
- pfsenseruleseparator for rule separators
- pfsense_setup for general setup
- pfsense_user for users
- pfsense_vlan for vlans
Bulk modules
These modules allow you to make important changes at once and, using the purge parameters, to keep the targets configuration strictly synchronized with your playbooks:
- pfsense_aggregate for aliases, rules, rule separators, interfaces and vlans
- pfsenseipsecaggregate for ipsec tunnels, phases 1, phases 2 and proposals
Third party modules
These modules allow you to manage installed packages:
- pfsensehaproxybackend for haproxy backends
- pfsensehaproxybackend_server for haproxy backends servers
Operation
Modules in the collection work by editing
/cf/conf/config.xmlusing xml.etree.ElementTree, then calling the appropriate php update function via the pfsense php developer shell.
Some formatting is lost, and CDATA items are converted to normal entries, but so far no problems with that have been noted.
License
GPLv3.0 or later