diff --git a/minifirewall/README.md b/minifirewall/README.md index 2d775a6c..ab0e6abf 100644 --- a/minifirewall/README.md +++ b/minifirewall/README.md @@ -1,6 +1,6 @@ # minifirewall -Install minifirewall a simple and versatile local firewall. +Installation of minifirewall a simple and versatile local firewall. The firewall is not started by default, but an init script is installed. @@ -16,4 +16,6 @@ Everything is in the `tasks/main.yml` file. * `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none) * `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none) -Some IP/hosts must be configured or the server will be inaccessible via network. +The full list of variables (with default values) can be found in `defaults/main.yml`. + +**Some IP/hosts must be configured or the server will be inaccessible via network.** diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index e527a70d..2088e089 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -6,3 +6,12 @@ minifirewall_ipv6: "on" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" minifirewall_trusted_ips: [] minifirewall_privilegied_ips: [] + +minifirewall_protected_ports_tcp: [22] +minifirewall_protected_ports_udp: [] +minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222] +minifirewall_public_ports_udp: [53] +minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143] +minifirewall_semipublic_ports_udp: [] +minifirewall_private_ports_tcp: [5666] +minifirewall_private_ports_udp: [] diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml new file mode 100644 index 00000000..12d328bb --- /dev/null +++ b/minifirewall/tasks/config.yml @@ -0,0 +1,57 @@ +--- + +- name: Begin marker for IP addresses + lineinfile: + dest: /etc/default/minifirewall + create: no + line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" + insertbefore: '^# Main interface' + +- name: End marker for IP addresses + lineinfile: + dest: /etc/default/minifirewall + create: no + line: "# END ANSIBLE MANAGED BLOCK FOR IPS" + insertafter: '^PRIVILEGIEDIPS=' + +- name: Configure IP addresses + blockinfile: + dest: /etc/default/minifirewall + create: no + marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" + content: | + INT='{{ minifirewall_int }}' + IPV6='{{ minifirewall_ipv6 }}' + INTLAN='{{ minifirewall_intlan }}' + TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}' + PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' + + +- name: Begin marker for ports + lineinfile: + dest: /etc/default/minifirewall + create: no + line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" + insertbefore: '^# Protected services' + +- name: End marker for ports + lineinfile: + dest: /etc/default/minifirewall + create: no + line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" + insertafter: '^SERVICESUDP3=' + +- name: Configure ports + blockinfile: + dest: /etc/default/minifirewall + create: no + marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" + content: | + SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}' + SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}' + SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}' + SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}' + SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}' + SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}' + SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}' + SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml new file mode 100644 index 00000000..877fa022 --- /dev/null +++ b/minifirewall/tasks/install.yml @@ -0,0 +1,29 @@ +--- + +- name: clone git repository + git: + repo: "{{ minifirewall_git_url}}" + dest: "{{ minifirewall_checkout_path }}" + clone: yes + +# WARN: these tasks copy the file if there are not already there +# They don't update files. + +- name: is init script present? + stat: + path: /etc/init.d/minifirewall + register: init_minifirewall + +- name: init script is copied + command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall" + when: not init_minifirewall.stat.exists + + +- name: is configuration present? + stat: + path: /etc/default/minifirewall + register: default_minifirewall + +- name: configuration is copied + command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall" + when: not default_minifirewall.stat.exists diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index a5ce72a9..7eca382e 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -1,42 +1,5 @@ --- -- name: clone git repository - git: - repo: "{{ minifirewall_git_url}}" - dest: "{{ minifirewall_checkout_path }}" - clone: yes +- include: install.yml -# WARN: these tasks copy the file if there are not already there -# They don't update files. - -- name: is init script present? - stat: - path: /etc/init.d/minifirewall - register: init_minifirewall - -- name: init script is copied - command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall" - when: not init_minifirewall.stat.exists - - -- name: is configuration present? - stat: - path: /etc/default/minifirewall - register: default_minifirewall - -- block: - - name: configuration is copied - command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall" - - - name: configuraion is customized - replace: - dest: /etc/default/minifirewall - regexp: '{{ item.regexp }}' - replace: '{{ item.replace }}' - with_items: - - { regexp: "^(INT)='.*'", replace: "\\1='{{ minifirewall_int }}'" } - - { regexp: "^(INTLAN)='.*'", replace: "\\1='{{ minifirewall_intlan }}'" } - - { regexp: "^(IPV6)='.*'", replace: "\\1='{{ minifirewall_ipv6 }}'" } - - { regexp: "^(TRUSTEDIPS)='.*'", replace: "\\1='{{ minifirewall_trusted_ips | join(' ') }}'" } - - { regexp: "^(PRIVILEGIEDIPS)='.*'", replace: "\\1='{{ minifirewall_privilegied_ips | join(' ') }}'" } - when: not default_minifirewall.stat.exists +- include: config.yml