initial upload
This commit is contained in:
122
roles/firewall/tasks/main.yml
Normal file
122
roles/firewall/tasks/main.yml
Normal file
@@ -0,0 +1,122 @@
|
||||
---
|
||||
|
||||
- name: Ensure iptables packages are installed
|
||||
apt:
|
||||
pkg:
|
||||
- iptables
|
||||
- ipset
|
||||
- conntrack
|
||||
- ipv6calc # Required by update-firewall-outbound
|
||||
state: present
|
||||
when: firewall_run is not defined
|
||||
tags: packages
|
||||
|
||||
- name: Install the firewall init.d script
|
||||
template:
|
||||
dest: /etc/init.d/firewall
|
||||
src: etc_init.d_firewall.j2
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: root
|
||||
when: firewall_run is not defined and firewall_enabled
|
||||
tags:
|
||||
- configs
|
||||
- firewall
|
||||
|
||||
- name: Enable the firewall init.d script
|
||||
service:
|
||||
name: firewall
|
||||
enabled: yes
|
||||
when: firewall_run is not defined and firewall_enabled
|
||||
tags:
|
||||
- configs
|
||||
- firewall
|
||||
|
||||
- name: Ensure the rules directories exist
|
||||
file:
|
||||
path: "/etc/firewall/{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0700
|
||||
with_items:
|
||||
- rules-v4.d
|
||||
- rules-v6.d
|
||||
when: firewall_run is not defined
|
||||
tags:
|
||||
- configs
|
||||
- firewall
|
||||
|
||||
- name: Install the firewall configs
|
||||
template: dest=/etc/firewall/{{ item }} src={{ item }}.j2 mode=0600
|
||||
with_items:
|
||||
- rules-v4.d/10_conntrack.sh
|
||||
- rules-v4.d/15_local.sh
|
||||
- rules-v4.d/17_monitoring.sh
|
||||
- rules-v4.d/18_internal.sh
|
||||
- rules-v4.d/20_whitelist.sh
|
||||
- rules-v4.d/22_ssh.sh
|
||||
- rules-v4.d/24_influxdb.sh
|
||||
- rules-v4.d/33_mariadb.sh
|
||||
- rules-v4.d/85_whitelist.sh
|
||||
- rules-v4.d/90_allow_outbound.sh
|
||||
- rules-v4.d/90_drop_all.sh
|
||||
- rules-v4.d/95_fail2ban.sh
|
||||
|
||||
- rules-v6.d/10_conntrack.sh
|
||||
- rules-v6.d/15_local.sh
|
||||
- rules-v6.d/18_internal.sh
|
||||
- rules-v6.d/20_whitelist.sh
|
||||
- rules-v4.d/24_influxdb.sh
|
||||
- rules-v4.d/33_mariadb.sh
|
||||
- rules-v4.d/85_whitelist.sh
|
||||
- rules-v6.d/90_allow_outbound.sh
|
||||
- rules-v6.d/90_drop_all.sh
|
||||
when: firewall_run is not defined and firewall_enabled and firewall_standard_rules
|
||||
notify: Restart firewall
|
||||
tags:
|
||||
- configs
|
||||
- firewall
|
||||
|
||||
- name: Install the extra firewall configs
|
||||
template: dest=/etc/firewall/{{ item }} src={{ item }}.j2 mode=0600
|
||||
with_items:
|
||||
- rules-v4.d/50_custom.sh
|
||||
- rules-v6.d/50_custom.sh
|
||||
when: firewall_run is not defined and firewall_enabled and (firewall_custom_ipv4_rules or firewall_custom_ipv6_rules)
|
||||
notify: Restart firewall
|
||||
tags:
|
||||
- configs
|
||||
- firewall
|
||||
|
||||
- name: Install the firewall outbound ACLs
|
||||
template: dest=/etc/firewall/outbound_whitelist.acl src=etc_firewall_outbound_whitelist.acl.j2 mode=0600
|
||||
when: firewall_run is not defined and firewall_enabled and firewall_output_whitelist_domains
|
||||
notify: Restart firewall
|
||||
tags:
|
||||
- configs
|
||||
- firewall
|
||||
- whitelists
|
||||
|
||||
- name: Remove obsolete configs
|
||||
file: dest=/etc/firewall/{{ item }} state=absent
|
||||
with_items:
|
||||
- rules-v4.d/19_monitoring.sh
|
||||
when: firewall_run is not defined and firewall_enabled
|
||||
notify: Restart firewall
|
||||
tags:
|
||||
- configs
|
||||
- firewall
|
||||
|
||||
- name: Install the firewall outbound update script
|
||||
template: dest=/usr/sbin/update-firewall-outbound src=usr_sbin_update-firewall-outbound.j2 mode=0700
|
||||
when: firewall_run is not defined and firewall_enabled and firewall_output_whitelist_domains
|
||||
notify: Restart firewall
|
||||
tags:
|
||||
- firewall
|
||||
- scripts
|
||||
- whitelists
|
||||
|
||||
- set_fact:
|
||||
firewall_run: true
|
||||
when: firewall_run is not defined
|
||||
Reference in New Issue
Block a user