2017-01-06 15:50:48 +01:00
---
2017-11-26 12:32:33 +01:00
- debug :
var : minifirewall_trusted_ips
verbosity : 1
- debug :
var : minifirewall_privilegied_ips
verbosity : 1
2018-12-04 14:27:17 +01:00
- name : Stat minifirewall config file (before)
stat :
2022-03-15 23:07:33 +01:00
path : "/etc/default/minifirewall"
2018-12-04 14:27:17 +01:00
register : minifirewall_before
2017-01-09 16:38:21 +01:00
- name : Check if minifirewall is running
2022-03-15 23:07:33 +01:00
shell :
cmd : /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
2017-01-09 16:38:21 +01:00
changed_when : False
failed_when : False
2017-03-24 14:15:09 +01:00
check_mode : no
2017-01-09 16:38:21 +01:00
register : minifirewall_is_running
2017-01-31 17:42:32 +01:00
- debug :
2017-04-11 16:13:10 +02:00
var : minifirewall_is_running
verbosity : 1
2017-01-09 16:38:21 +01:00
2017-01-06 15:50:48 +01:00
- name : Begin marker for IP addresses
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2017-01-06 15:50:48 +01:00
line : "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
insertbefore : '^# Main interface'
2019-01-01 20:02:50 +01:00
create : no
2017-01-06 15:50:48 +01:00
- name : End marker for IP addresses
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2017-01-06 15:50:48 +01:00
create : no
line : "# END ANSIBLE MANAGED BLOCK FOR IPS"
insertafter : '^PRIVILEGIEDIPS='
2020-01-08 17:19:13 +01:00
- name : Verify that at least 1 trusted IP is provided
assert :
2021-05-09 23:06:42 +02:00
that : minifirewall_trusted_ips | length > 0
2017-03-22 18:12:30 +01:00
msg : You must provide at least 1 trusted IP
2020-01-08 17:19:13 +01:00
2017-09-14 14:26:44 +02:00
- debug :
2022-03-15 23:07:33 +01:00
msg : "Warning: minifirewall_trusted_ips contains '0.0.0.0/0', the firewall is useless on IPv4!"
when : "'0.0.0.0/0' in minifirewall_trusted_ips"
- debug :
msg : "Warning: minifirewall_trusted_ips contains '::/0', the firewall is useless on IPv6!"
when : "'::/0' in minifirewall_trusted_ips"
2017-03-22 18:12:30 +01:00
2017-01-06 15:50:48 +01:00
- name : Configure IP addresses
blockinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2017-01-06 15:50:48 +01:00
marker : "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
2020-12-02 15:22:35 +01:00
block : |
2017-01-31 17:44:31 +01:00
# Main interface
2017-01-06 15:50:48 +01:00
INT='{{ minifirewall_int }}'
2017-01-31 17:44:31 +01:00
# IPv6
2017-01-06 15:50:48 +01:00
IPV6='{{ minifirewall_ipv6 }}'
2020-12-01 22:47:38 +01:00
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
2022-03-15 23:07:33 +01:00
# Also, we'll add the DOCKER-USER chain, in iptables
#
# WARNING : If the port mapping is different between the host and the container
# (ie: Listen on :8090 on host, but :8080 in container)
# then you need to give the port used inside the container
DOCKER='off'
2017-01-31 17:44:31 +01:00
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
2017-01-06 15:50:48 +01:00
INTLAN='{{ minifirewall_intlan }}'
2017-01-31 17:44:31 +01:00
# Trusted IPv4 addresses for private and semi-public services
2017-01-06 15:50:48 +01:00
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
2017-01-31 17:44:31 +01:00
# Privilegied IPv4 addresses for semi-public services
# (no need to add again TRUSTEDIPS)
2017-01-06 15:50:48 +01:00
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
2019-01-01 20:02:50 +01:00
create : no
2017-01-09 16:38:21 +01:00
register : minifirewall_config_ips
2017-01-06 15:50:48 +01:00
- name : Begin marker for ports
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2017-01-06 15:50:48 +01:00
line : "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
insertbefore : '^# Protected services'
2019-01-01 20:02:50 +01:00
create : no
2017-01-06 15:50:48 +01:00
- name : End marker for ports
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2017-01-06 15:50:48 +01:00
line : "# END ANSIBLE MANAGED BLOCK FOR PORTS"
insertafter : '^SERVICESUDP3='
2019-01-01 20:02:50 +01:00
create : no
2017-01-06 15:50:48 +01:00
- name : Configure ports
blockinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2017-01-06 15:50:48 +01:00
marker : "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
2020-12-02 15:22:35 +01:00
block : |
2017-01-31 17:44:31 +01:00
# Protected services
# (add also in Public services if needed)
2017-01-06 15:50:48 +01:00
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
2017-01-31 17:44:31 +01:00
# Public services (IPv4/IPv6)
2017-01-06 15:50:48 +01:00
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
2017-01-31 17:44:31 +01:00
# Semi-public services (IPv4)
2017-01-06 15:50:48 +01:00
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
2017-01-31 17:44:31 +01:00
# Private services (IPv4)
2017-01-06 15:50:48 +01:00
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
2019-01-01 20:02:50 +01:00
create : no
2017-01-09 16:38:21 +01:00
register : minifirewall_config_ports
2018-12-04 14:30:15 +01:00
- name : Configure DNSSERVEURS
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2018-12-04 14:30:15 +01:00
line : "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
2022-03-30 09:42:54 +02:00
regexp : "DNSSERVEURS=('|\").*('|\")"
2019-01-01 20:02:50 +01:00
create : no
2018-12-04 14:30:15 +01:00
when : minifirewall_dns_servers is not none
- name : Configure HTTPSITES
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2018-12-04 14:30:15 +01:00
line : "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
2022-03-30 09:42:54 +02:00
regexp : "HTTPSITES=('|\").*('|\")"
2019-01-01 20:02:50 +01:00
create : no
2018-12-04 14:30:15 +01:00
when : minifirewall_http_sites is not none
- name : Configure HTTPSSITES
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2018-12-04 14:30:15 +01:00
line : "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
2022-03-30 09:42:54 +02:00
regexp : "HTTPSSITES=('|\").*('|\")"
2019-01-01 20:02:50 +01:00
create : no
2018-12-04 14:30:15 +01:00
when : minifirewall_https_sites is not none
- name : Configure FTPSITES
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2018-12-04 14:30:15 +01:00
line : "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
2022-03-30 09:42:54 +02:00
regexp : "FTPSITES=('|\").*('|\")"
2019-01-01 20:02:50 +01:00
create : no
2018-12-04 14:30:15 +01:00
when : minifirewall_ftp_sites is not none
- name : Configure SSHOK
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2018-12-04 14:30:15 +01:00
line : "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
2022-03-30 09:42:54 +02:00
regexp : "SSHOK=('|\").*('|\")"
2019-01-01 20:02:50 +01:00
create : no
2018-12-04 14:30:15 +01:00
when : minifirewall_ssh_ok is not none
- name : Configure SMTPOK
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2018-12-04 14:30:15 +01:00
line : "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
2022-03-30 09:42:54 +02:00
regexp : "SMTPOK=('|\").*('|\")"
2019-01-01 20:02:50 +01:00
create : no
2018-12-04 14:30:15 +01:00
when : minifirewall_smtp_ok is not none
- name : Configure SMTPSECUREOK
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2018-12-04 14:30:15 +01:00
line : "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
2022-03-30 09:42:54 +02:00
regexp : "SMTPSECUREOK=('|\").*('|\")"
2019-01-01 20:02:50 +01:00
create : no
2018-12-04 14:30:15 +01:00
when : minifirewall_smtp_secure_ok is not none
- name : Configure NTPOK
lineinfile :
2022-03-15 23:07:33 +01:00
dest : "/etc/default/minifirewall"
2018-12-04 14:30:15 +01:00
line : "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
2022-03-30 09:42:54 +02:00
regexp : "NTPOK=('|\").*('|\")"
2019-01-01 20:02:50 +01:00
create : no
2018-12-04 14:30:15 +01:00
when : minifirewall_ntp_ok is not none
2022-03-30 09:42:54 +02:00
- name : Configure PROXY
lineinfile :
dest : "/etc/default/minifirewall"
line : "PROXY='{{ minifirewall_proxy }}'"
regexp : "PROXY=('|\").*('|\")"
create : no
when : minifirewall_proxy is not none
- name : Configure PROXYPORT
lineinfile :
dest : "/etc/default/minifirewall"
line : "PROXYPORT='{{ minifirewall_proxyport }}'"
regexp : "PROXYPORT=('|\").*('|\")"
create : no
when : minifirewall_proxyport is not none
# Warning: keep double quotes for the value,
# since we often reference a shell variable that needs to be interpolated
- name : Configure PROXYBYPASS
lineinfile :
dest : "/etc/default/minifirewall"
line : "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\""
regexp : "PROXYBYPASS=('|\").*('|\")"
create : no
when : minifirewall_proxybypass is not none
- name : Configure BACKUPSERVERS
lineinfile :
dest : "/etc/default/minifirewall"
line : "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'"
regexp : "BACKUPSERVERS=('|\").*('|\")"
create : no
when : minifirewall_backupservers is not none
- name : Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS
lineinfile :
dest : "/etc/default/minifirewall"
line : "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='{{ minifirewall_sysctl_icmp_echo_ignore_broadcasts }}'"
regexp : "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS=('|\").*('|\")"
create : no
when : minifirewall_sysctl_icmp_echo_ignore_broadcasts is not none
- name : Configure SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES
lineinfile :
dest : "/etc/default/minifirewall"
line : "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='{{ minifirewall_sysctl_icmp_ignore_bogus_error_responses }}'"
regexp : "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=('|\").*('|\")"
create : no
when : minifirewall_sysctl_icmp_ignore_bogus_error_responses is not none
- name : Configure SYSCTL_ACCEPT_SOURCE_ROUTE
lineinfile :
dest : "/etc/default/minifirewall"
line : "SYSCTL_ACCEPT_SOURCE_ROUTE='{{ minifirewall_sysctl_accept_source_route }}'"
regexp : "SYSCTL_ACCEPT_SOURCE_ROUTE=('|\").*('|\")"
create : no
when : minifirewall_sysctl_accept_source_route is not none
- name : Configure SYSCTL_TCP_SYNCOOKIES
lineinfile :
dest : "/etc/default/minifirewall"
line : "SYSCTL_TCP_SYNCOOKIES='{{ minifirewall_sysctl_tcp_syncookies }}'"
regexp : "SYSCTL_TCP_SYNCOOKIES=('|\").*('|\")"
create : no
when : minifirewall_sysctl_tcp_syncookies is not none
- name : Configure SYSCTL_ICMP_REDIRECTS
lineinfile :
dest : "/etc/default/minifirewall"
line : "SYSCTL_ICMP_REDIRECTS='{{ minifirewall_sysctl_icmp_redirects }}'"
regexp : "SYSCTL_ICMP_REDIRECTS=('|\").*('|\")"
create : no
when : minifirewall_sysctl_icmp_redirects is not none
- name : Configure SYSCTL_RP_FILTER
lineinfile :
dest : "/etc/default/minifirewall"
line : "SYSCTL_RP_FILTER='{{ minifirewall_sysctl_rp_filter }}'"
regexp : "SYSCTL_RP_FILTER=('|\").*('|\")"
create : no
when : minifirewall_sysctl_rp_filter is not none
- name : Configure SYSCTL_LOG_MARTIANS
lineinfile :
dest : "/etc/default/minifirewall"
line : "SYSCTL_LOG_MARTIANS='{{ minifirewall_sysctl_log_martians }}'"
regexp : "SYSCTL_LOG_MARTIANS=('|\").*('|\")"
create : no
when : minifirewall_sysctl_log_martians is not none
2018-12-04 14:27:17 +01:00
- name : Stat minifirewall config file (after)
stat :
2022-03-15 23:07:33 +01:00
path : "/etc/default/minifirewall"
2018-12-04 14:27:17 +01:00
register : minifirewall_after
2017-01-09 16:38:21 +01:00
- name : restart minifirewall
2017-01-31 17:43:10 +01:00
command : /etc/init.d/minifirewall restart
register : minifirewall_init_restart
failed_when : "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
2018-08-30 17:04:14 +02:00
when :
2021-05-09 23:06:42 +02:00
- minifirewall_restart_if_needed | bool
2018-08-30 17:04:14 +02:00
- minifirewall_is_running.rc == 0
2022-03-28 13:27:19 +02:00
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed
2017-04-11 16:13:10 +02:00
- debug :
var : minifirewall_init_restart
verbosity : 2