123 lines
3.2 KiB
YAML
123 lines
3.2 KiB
YAML
---
|
|
|
|
- name: Ensure iptables packages are installed
|
|
apt:
|
|
pkg:
|
|
- iptables
|
|
- ipset
|
|
- conntrack
|
|
- ipv6calc # Required by update-firewall-outbound
|
|
state: present
|
|
when: firewall_run is not defined
|
|
tags: packages
|
|
|
|
- name: Install the firewall init.d script
|
|
template:
|
|
dest: /etc/init.d/firewall
|
|
src: etc_init.d_firewall.j2
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
when: firewall_run is not defined and firewall_enabled
|
|
tags:
|
|
- configs
|
|
- firewall
|
|
|
|
- name: Enable the firewall init.d script
|
|
service:
|
|
name: firewall
|
|
enabled: yes
|
|
when: firewall_run is not defined and firewall_enabled
|
|
tags:
|
|
- configs
|
|
- firewall
|
|
|
|
- name: Ensure the rules directories exist
|
|
file:
|
|
path: "/etc/firewall/{{ item }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
with_items:
|
|
- rules-v4.d
|
|
- rules-v6.d
|
|
when: firewall_run is not defined
|
|
tags:
|
|
- configs
|
|
- firewall
|
|
|
|
- name: Install the firewall configs
|
|
template: dest=/etc/firewall/{{ item }} src={{ item }}.j2 mode=0600
|
|
with_items:
|
|
- rules-v4.d/10_conntrack.sh
|
|
- rules-v4.d/15_local.sh
|
|
- rules-v4.d/17_monitoring.sh
|
|
- rules-v4.d/18_internal.sh
|
|
- rules-v4.d/20_whitelist.sh
|
|
- rules-v4.d/22_ssh.sh
|
|
- rules-v4.d/24_influxdb.sh
|
|
- rules-v4.d/33_mariadb.sh
|
|
- rules-v4.d/85_whitelist.sh
|
|
- rules-v4.d/90_allow_outbound.sh
|
|
- rules-v4.d/90_drop_all.sh
|
|
- rules-v4.d/95_fail2ban.sh
|
|
|
|
- rules-v6.d/10_conntrack.sh
|
|
- rules-v6.d/15_local.sh
|
|
- rules-v6.d/18_internal.sh
|
|
- rules-v6.d/20_whitelist.sh
|
|
- rules-v4.d/24_influxdb.sh
|
|
- rules-v4.d/33_mariadb.sh
|
|
- rules-v4.d/85_whitelist.sh
|
|
- rules-v6.d/90_allow_outbound.sh
|
|
- rules-v6.d/90_drop_all.sh
|
|
when: firewall_run is not defined and firewall_enabled and firewall_standard_rules
|
|
notify: Restart firewall
|
|
tags:
|
|
- configs
|
|
- firewall
|
|
|
|
- name: Install the extra firewall configs
|
|
template: dest=/etc/firewall/{{ item }} src={{ item }}.j2 mode=0600
|
|
with_items:
|
|
- rules-v4.d/50_custom.sh
|
|
- rules-v6.d/50_custom.sh
|
|
when: firewall_run is not defined and firewall_enabled and (firewall_custom_ipv4_rules or firewall_custom_ipv6_rules)
|
|
notify: Restart firewall
|
|
tags:
|
|
- configs
|
|
- firewall
|
|
|
|
- name: Install the firewall outbound ACLs
|
|
template: dest=/etc/firewall/outbound_whitelist.acl src=etc_firewall_outbound_whitelist.acl.j2 mode=0600
|
|
when: firewall_run is not defined and firewall_enabled and firewall_output_whitelist_domains
|
|
notify: Restart firewall
|
|
tags:
|
|
- configs
|
|
- firewall
|
|
- whitelists
|
|
|
|
- name: Remove obsolete configs
|
|
file: dest=/etc/firewall/{{ item }} state=absent
|
|
with_items:
|
|
- rules-v4.d/19_monitoring.sh
|
|
when: firewall_run is not defined and firewall_enabled
|
|
notify: Restart firewall
|
|
tags:
|
|
- configs
|
|
- firewall
|
|
|
|
- name: Install the firewall outbound update script
|
|
template: dest=/usr/sbin/update-firewall-outbound src=usr_sbin_update-firewall-outbound.j2 mode=0700
|
|
when: firewall_run is not defined and firewall_enabled and firewall_output_whitelist_domains
|
|
notify: Restart firewall
|
|
tags:
|
|
- firewall
|
|
- scripts
|
|
- whitelists
|
|
|
|
- set_fact:
|
|
firewall_run: true
|
|
when: firewall_run is not defined
|