sebastian/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial upload

Browse Source
This commit is contained in:
sebastian
2025-10-10 11:07:34 +00:00
commit 6224cd01c6
161 changed files with 8964 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
roles/firewall/templates/usr_sbin_update-firewall-outbound.j2 Normal file
View File

@@ -0,0 +1,75 @@
#!/bin/bash
# Update /etc/firewall/outbound_whitelist_ipv*.acl from /etc/firewall/outbound_whitelist.acl
resolve_hosts() {
local type="$1" out="$2"
local tmp=$(mktemp "$out.XXXXXX")
(
echo "# AUTO-GENERATED FROM outbound_whitelist.acl"
while read domain; do
case $domain in
"#"* | "") ;;
*)
(host -t "$type" "$domain" 2>&1 || true) | sort -n | while read line; do
case $line in
*"not found"*)
echo "$line" >&2
;;
*"has address"*)
ip="${line##* }"
case $ip in
13.108.*) ip="13.108.0.0/14" ;;
*) ip="${ip%.*}.0/24" ;;
esac
echo "$ip $domain"
;;
*"has IPv6 address"*)
ip="${line##* }"
case $ip in
2607:f8b0:*) ip="2607:f8b0::/32" ;;
*) ip=$(ipv6calc --addr_to_uncompressed "$ip" | cut -d: -f1-4)::/64 ;;
esac
echo "$ip $domain"
;;
esac
done
;;
esac
done < /etc/firewall/outbound_whitelist.acl | sort -n -u
) > "$tmp"
if [ $? -ne 0 ]; then
echo "Error writing to $out" >&2
rm -f "$tmp"
elif cmp -s "$tmp" "$out"; then
rm -f "$tmp"
else
echo "--- Differences in $(basename $out): ---"
echo
diff -u "$out" "$tmp" | grep -v '^\(+++\|---\)' | grep '^[+-]'
echo
mv -f "$tmp" "$out"
fi
}
load_ipset() {
local name="$1" family="$2" file="$3"
local tmp="$name-$$"
ipset -exist create "$name" hash:net family "$family" counters comment
ipset create "$tmp" hash:net family "$family" counters comment
grep -v '^#' "$file" | while read ip name; do
ipset -exist add "$tmp" "$ip" comment "$name"
done
ipset swap "$name" "$tmp"
ipset destroy "$tmp"
}
resolve_hosts A /etc/firewall/outbound_whitelist_ipv4.acl
resolve_hosts AAAA /etc/firewall/outbound_whitelist_ipv6.acl
load_ipset outbound-whitelist inet /etc/firewall/outbound_whitelist_ipv4.acl
load_ipset outbound-whitelist-ipv6 inet6 /etc/firewall/outbound_whitelist_ipv6.acl