Module Request: firewall_rules

[DonGiovanni83]

Module Description

Add, modify or delete firewall rules on the OPNsense system.

Minimum Viable Product (MVP)

Express your minimal viable product in the form of
the Ansible DOCUMENTATION block format:

---
module: firewall_rules
short_description: This module is used to manage OPNSense firewall rules
version_added: "1.0.0"
description: This module is used to manage OPNSense firewall rules.
options:
    action:
        description: Choose what to do with packets that match the criteria specified below.
        choices:
            - pass
            - block
            - reject
        default: pass
        type: str
    disabled:
        description: Set this option to disable this rule without removing it from the list.
        required: false
        default: false
        type: bool
    ipprotocol:
        description: IP version
        required: false
        default: inet
        choices:
            - inet
            - inet6
            - inet46
        type: str
    quick:
        description: |
          If a packet matches a rule specifying quick, then that rule is considered the last matching rule and the specified action is taken.
          When a rule does not have quick enabled, the last matching rule wins.
        required: false
        default: true
        type: bool
    interface:
        description: Choose on which interface packets must come in to match this rule.
        required: true
        type: str
    direction:
        description: |
          "Direction of the traffic. Traffic IN is coming into the firewall interface, while traffic OUT is going out of the firewall interface.
          In visual terms: [Source] -> IN -> [Firewall] -> OUT -> [Destination]. The default policy is to filter inbound traffic,
          which means the policy applies to the interface on which the traffic is originally received by the firewall from the source.
          This is more efficient from a traffic processing perspective. In most cases, the default policy will be the most appropriate."
        choices:
            - in
            - out
        default: in
        type: str
    protocol:
        description: Choose which IP protocol this rule should match.
        choices:
            - any
            - tcp
            - udp
            - tcp/udp
            - icmp
            - esp
            - ah
            - gre
            - igmp
            - pim
            - ospf
            - ggp
            - ipencap
            - st2
            - cbt
            - egp
            - igp
            - bbn-rcc
            - nvp
            - pup
            - argus
            - emcon
            - xnet
            - chaos
            - mux
            - dcn
            - hmp
            - prm
            - xns-idp
            - trunk-1
            - trunk-2
            - leaf-1
            - leaf-2
            - rdp
            - irtp
            - iso-tp4
            - netblt
            - mfe-nsp
            - merit-inp
            - dccp
            - 3pc
            - idpr
            - xtp
            - ddp
            - idpr-cmtp
            - tp++
            - il
            - ipv6
            - sdrp
            - idrp
            - rsvp
            - dsr
            - bna
            - i-nlsp
            - swipe
            - narp
            - mobile
            - tlsp
            - skip
            - ipv6-icmp
            - cftp
            - sat-expak
            - kryptolan
            - rvd
            - ippc
            - sat-mon
            - visa
            - ipcv
            - cpnx
            - cphb
            - wsn
            - pvp
            - br-sat-mon
            - sun-nd
            - wb-mon
            - wb-expak
            - iso-ip
            - vmtp
            - secure-vmtp
            - vines
            - ttp
            - nsfnet-igp
            - dgp
            - tcf
            - eigrp
            - sprite-rpc
            - larp
            - mtp
            - ax.25
            - ipip
            - micp
            - scc-sp
            - etherip
            - encap
            - gmtp
            - ifmp
            - pnni
            - aris
            - scps
            - qnx
            - a/n
            - ipcomp
            - snp
            - compaq-peer
            - ipx-in-ip
            - carp
            - pgm
            - l2tp
            - ddx
            - iatp
            - stp
            - srp
            - uti
            - smp
            - sm
            - ptp
            - isis
            - crtp
            - crudp
            - sps
            - pipe
            - sctp
            - fc
            - rsvp-e2e-ignore
            - udplite
            - mpls-in-ip
            - manet
            - hip
            - shim6
            - wesp
            - rohc
            - pfsync
            - divert
        required: false
        default: any
        type: str
    source:
        description:
          - Specifies the source configuration.
        type: dict
        suboptions:
          address:
            description:
              - The IP address of the source.
            default: any
            type: str
          network:
            description:
              - The network of the source.
            default: any
            type: str
          port:
            description:
              - The port of the source.
            default: any
            type: str
          invert:
            description:
              - Inverts the match logic.
            default: false
            type: bool
    destination:
        description:
          - Specifies the source configuration.
        type: dict
        suboptions:
          address:
            description:
              - The IP address of the source.
            type: str
            default: any
          network:
            description:
              - The network of the source.
            type: str
            default: any
          port:
            description:
              - The port of the source.
            type: str
            default: any
          invert:
            description:
              - Inverts the match logic.
            default: false
            type: bool
    log:
        description: |
          "Log packets that are handled by this rule. Hint: the firewall has limited local log space. Don't turn on logging for everything.
          If you want to do a lot of logging, consider using a remote syslog server."
        required: false
        default: false
        type: bool
    category:
        description: You may enter or select a category here to group firewall rules
        required: false
        type: str
    description:
        description: Description for the rule.
        required: false
        type: str
    state:
        description: Weather rule should be added or removed.
        required: false
        type: str
        default: present
        choices: [present, absent]

Examples

- name: Block SSH in LAN Network
  puzzle.opnsense.firewall_rules:
    interface: lan
    source:
    destination:
        port: 22
    action: block

Additional Notes (Optional)

• The interface name could be verified against the device name its alias or the descriptive name once an interface related module provides an appropriate utility for it.