ff9e1e80aa
All checks were successful
continuous-integration/drone/push Build is passing
The default OS websites would override all the default http sites. I removed those default http sites from the file and put them in the minifirewall_http_sites list. Since this would override the list anyway, it doesnt change much, except that someone who doesnt want to use the OS default websites should also override the related variables (minifirewall_default_*_http_sites) fixes #65
230 lines
7 KiB
YAML
230 lines
7 KiB
YAML
---
|
|
|
|
- debug:
|
|
var: minifirewall_trusted_ips
|
|
verbosity: 1
|
|
- debug:
|
|
var: minifirewall_privilegied_ips
|
|
verbosity: 1
|
|
|
|
- name: Stat minifirewall config file (before)
|
|
stat:
|
|
path: "{{ minifirewall_main_file }}"
|
|
register: minifirewall_before
|
|
|
|
- name: Check if minifirewall is running
|
|
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: minifirewall_is_running
|
|
|
|
- debug:
|
|
var: minifirewall_is_running
|
|
verbosity: 1
|
|
|
|
- name: Begin marker for IP addresses
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
|
insertbefore: '^# Main interface'
|
|
create: no
|
|
|
|
- name: End marker for IP addresses
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
create: no
|
|
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
|
insertafter: '^PRIVILEGIEDIPS='
|
|
|
|
- fail:
|
|
msg: You must provide at least 1 trusted IP
|
|
when: minifirewall_trusted_ips == []
|
|
- debug:
|
|
msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!"
|
|
when: minifirewall_trusted_ips == ["0.0.0.0/0"]
|
|
|
|
- name: Configure IP addresses
|
|
blockinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
|
content: |
|
|
# Main interface
|
|
INT='{{ minifirewall_int }}'
|
|
|
|
# IPv6
|
|
IPV6='{{ minifirewall_ipv6 }}'
|
|
|
|
# Trusted IPv4 local network
|
|
# ...will be often IP/32 if you don't trust anything
|
|
INTLAN='{{ minifirewall_intlan }}'
|
|
|
|
# Trusted IPv4 addresses for private and semi-public services
|
|
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
|
|
|
|
# Privilegied IPv4 addresses for semi-public services
|
|
# (no need to add again TRUSTEDIPS)
|
|
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
|
|
create: no
|
|
register: minifirewall_config_ips
|
|
|
|
- name: Begin marker for ports
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
insertbefore: '^# Protected services'
|
|
create: no
|
|
|
|
- name: End marker for ports
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
insertafter: '^SERVICESUDP3='
|
|
create: no
|
|
|
|
- name: Configure ports
|
|
blockinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
content: |
|
|
# Protected services
|
|
# (add also in Public services if needed)
|
|
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
|
|
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
|
|
|
|
# Public services (IPv4/IPv6)
|
|
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
|
|
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
|
|
|
|
# Semi-public services (IPv4)
|
|
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
|
|
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
|
|
|
|
# Private services (IPv4)
|
|
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
|
|
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
|
create: no
|
|
register: minifirewall_config_ports
|
|
|
|
- name: Configure DNSSERVEURS
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
|
|
regexp: "DNSSERVEURS='.*'"
|
|
create: no
|
|
when: minifirewall_dns_servers is not none
|
|
|
|
- name: Configure HTTPSITES
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
|
regexp: "HTTPSITES='.*'"
|
|
create: no
|
|
|
|
- name: Configure HTTPSITES for debian
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }}' '{{ minifirewall_http_sites | join(' ') }}'"
|
|
regexp: "HTTPSITES='.*'"
|
|
create: no
|
|
when: ansible_distribution == "Debian"
|
|
|
|
- name: Configure HTTPSITES for ubuntu
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }}' '{{ minifirewall_http_sites | join(' ') }}'"
|
|
regexp: "HTTPSITES='.*'"
|
|
create: no
|
|
when: ansible_distribution == "Ubuntu"
|
|
|
|
- name: Configure HTTPSSITES
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
|
|
regexp: "HTTPSSITES='.*'"
|
|
create: no
|
|
when: minifirewall_https_sites is not none
|
|
|
|
- name: Configure FTPSITES
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
|
|
regexp: "FTPSITES='.*'"
|
|
create: no
|
|
when: minifirewall_ftp_sites is not none
|
|
|
|
- name: Configure SSHOK
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
|
|
regexp: "SSHOK='.*'"
|
|
create: no
|
|
when: minifirewall_ssh_ok is not none
|
|
|
|
- name: Configure SMTPOK
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
|
|
regexp: "SMTPOK='.*'"
|
|
create: no
|
|
when: minifirewall_smtp_ok is not none
|
|
|
|
- name: Configure SMTPSECUREOK
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
|
|
regexp: "SMTPSECUREOK='.*'"
|
|
create: no
|
|
when: minifirewall_smtp_secure_ok is not none
|
|
|
|
- name: Configure NTPOK
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
|
|
regexp: "NTPOK='.*'"
|
|
create: no
|
|
when: minifirewall_ntp_ok is not none
|
|
|
|
- name: evomaintenance
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
insertafter: "^# EvoMaintenance"
|
|
with_items: "{{ evomaintenance_hosts }}"
|
|
|
|
- name: remove minifirewall example rule for the evomaintenance
|
|
lineinfile:
|
|
dest: "{{ minifirewall_main_file }}"
|
|
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
|
|
state: absent
|
|
when: evomaintenance_hosts != []
|
|
|
|
- name: Stat minifirewall config file (after)
|
|
stat:
|
|
path: "{{ minifirewall_main_file }}"
|
|
register: minifirewall_after
|
|
|
|
- name: restart minifirewall
|
|
# service:
|
|
# name: minifirewall
|
|
# state: restarted
|
|
command: /etc/init.d/minifirewall restart
|
|
register: minifirewall_init_restart
|
|
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
|
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
|
when:
|
|
- minifirewall_restart_if_needed
|
|
- minifirewall_is_running.rc == 0
|
|
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
|
|
|
|
- name: restart minifirewall (noop)
|
|
meta: noop
|
|
register: minifirewall_init_restart
|
|
failed_when: False
|
|
changed_when: False
|
|
when: not minifirewall_restart_if_needed
|
|
|
|
- debug:
|
|
var: minifirewall_init_restart
|
|
verbosity: 2
|