[a] better firewall rule defining
This commit is contained in:
parent
ce4756c178
commit
b8500d3dee
3 changed files with 36 additions and 49 deletions
|
@ -1,12 +1,17 @@
|
||||||
# Make a full system upgrade (using apt-get full-upgrade)
|
# Make a full system upgrade (using apt-get full-upgrade)
|
||||||
common_full_upgrade: false
|
common_full_upgrade: false
|
||||||
|
common_allow_restart: false # allow restarting after update
|
||||||
|
|
||||||
# Install and configure UFW Firewall on the system
|
# Install and configure UFW Firewall on the system
|
||||||
common_firewall_enable: true
|
common_firewall_enable: true
|
||||||
common_firewall_reject: false # reject all connections by default
|
common_firewall_reject: false # reject all connections by default
|
||||||
common_firewall_ssh: true # allow ssh connections
|
|
||||||
common_firewall_https: false # allow https connections
|
# Default Firewall Rules
|
||||||
common_firewall_http: false # allow http connections
|
common_firewall:
|
||||||
|
- port: 22
|
||||||
|
state: allow
|
||||||
|
interface: "{{ common_firewall_lan_interface if common_firewall_lan_interface }}"
|
||||||
|
comment: "Allow incoming connections on {{ common_firewall_lan_interface if common_firewall_lan_interface else 'all interfaces' }}"
|
||||||
|
|
||||||
# Configure SSH to only accept SSH Keys
|
# Configure SSH to only accept SSH Keys
|
||||||
common_ssh_configure: true
|
common_ssh_configure: true
|
||||||
|
|
|
@ -1,3 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: reboot system
|
||||||
|
ansible.builtin.reboot:
|
||||||
|
when: common_allow_restart
|
||||||
|
|
||||||
- name: restart ssh
|
- name: restart ssh
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: sshd
|
name: sshd
|
||||||
|
|
|
@ -6,18 +6,18 @@
|
||||||
update_cache: true
|
update_cache: true
|
||||||
upgrade: full
|
upgrade: full
|
||||||
when: common_full_upgrade
|
when: common_full_upgrade
|
||||||
|
notify: reboot system
|
||||||
|
|
||||||
- name: Install UFW Firewall
|
- name: Install UFW Firewall
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: ufw
|
name: ufw
|
||||||
# update_cache: true
|
|
||||||
state: present
|
state: present
|
||||||
when: common_firewall_enable
|
when: common_firewall_enable
|
||||||
|
|
||||||
- name: Enable UFW
|
- name: Enable UFW
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: enabled
|
state: enabled
|
||||||
logging: 'on'
|
logging: "on"
|
||||||
when: common_firewall_enable
|
when: common_firewall_enable
|
||||||
|
|
||||||
- name: Disable UFW Firewall
|
- name: Disable UFW Firewall
|
||||||
|
@ -26,35 +26,27 @@
|
||||||
state: absent
|
state: absent
|
||||||
when: not common_firewall_enable
|
when: not common_firewall_enable
|
||||||
|
|
||||||
- name: Reject incoming connections by default
|
- name: Reject incoming connections on WAN interface by default
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
policy: reject
|
default: reject
|
||||||
comment: 'Reject all by default'
|
direction: incoming
|
||||||
when: common_firewall_reject and common_firewall_enable
|
interface: "{{ common_firewall_wan_interface }}"
|
||||||
|
when:
|
||||||
|
- common_firewall_reject
|
||||||
|
- common_firewall_enable
|
||||||
|
- common_firewall_wan_interface
|
||||||
|
|
||||||
- name: Allow SSH Connections
|
- name: Configure firewall rules
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
rule: limit
|
port: "{{ rule.port }}"
|
||||||
port: ssh
|
rule: "{{ rule.state | default('allow') }}"
|
||||||
proto: tcp
|
proto: "{{ rule.protocol | default('tcp') }}"
|
||||||
comment: 'Allow SSH'
|
interface: "{{ rule.interface if rule.interface != 'all' else omit }}"
|
||||||
when: common_firewall_ssh and common_firewall_enable
|
comment: "{{ rule.comment | default('Custom rule for port {{ rule.port }} on {{ rule.interface }}') }}"
|
||||||
|
loop: "{{ common_firewall | default([]) }}"
|
||||||
- name: Allow HTTPS Connections
|
loop_control:
|
||||||
community.general.ufw:
|
loop_var: rule
|
||||||
rule: allow
|
when: common_firewall_enable
|
||||||
port: https
|
|
||||||
proto: tcp
|
|
||||||
comment: 'Allow HTTPS'
|
|
||||||
when: common_firewall_https and common_firewall_enable
|
|
||||||
|
|
||||||
- name: Allow HTTP Connections
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
port: http
|
|
||||||
proto: tcp
|
|
||||||
comment: 'Allow HTTP'
|
|
||||||
when: common_firewall_http and common_firewall_enable
|
|
||||||
|
|
||||||
- name: Install sudo
|
- name: Install sudo
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
|
@ -69,7 +61,7 @@
|
||||||
line: "{{ ssh_config_entry.line }}"
|
line: "{{ ssh_config_entry.line }}"
|
||||||
state: present
|
state: present
|
||||||
loop:
|
loop:
|
||||||
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
|
- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: ssh_config_entry
|
loop_var: ssh_config_entry
|
||||||
notify: restart ssh
|
notify: restart ssh
|
||||||
|
@ -88,18 +80,3 @@
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: root
|
name: root
|
||||||
password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"
|
password_lock: "{{ 'no' if common_lock_root is defined and not common_lock_root else 'yes' }}"
|
||||||
|
|
||||||
# - name: Configure SSH to disallow root login
|
|
||||||
# ansible.builtin.lineinfile:
|
|
||||||
# path: /etc/ssh/sshd_config
|
|
||||||
# regexp: '^PermitRootLogin'
|
|
||||||
# line: 'PermitRootLogin no'
|
|
||||||
# state: present
|
|
||||||
# notify: restart ssh
|
|
||||||
# when: common_ssh_configure
|
|
||||||
|
|
||||||
# - name: Disable root shell
|
|
||||||
# ansible.builtin.user:
|
|
||||||
# name: root
|
|
||||||
# shell: /usr/sbin/nologin
|
|
||||||
# when: common_disable_root
|
|
||||||
|
|
Loading…
Reference in a new issue