2017-01-06 15:50:48 +01:00
|
|
|
---
|
|
|
|
|
2017-01-09 16:38:21 +01:00
|
|
|
- name: Check if minifirewall is running
|
2017-01-31 17:41:33 +01:00
|
|
|
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
2017-01-09 16:38:21 +01:00
|
|
|
changed_when: False
|
|
|
|
failed_when: False
|
2017-01-31 11:45:35 +01:00
|
|
|
#check_mode: no (for migration to Ansible 2.2)
|
|
|
|
always_run: yes
|
2017-01-09 16:38:21 +01:00
|
|
|
register: minifirewall_is_running
|
2017-01-31 11:45:35 +01:00
|
|
|
#check_mode: no (for migration to Ansible 2.2)
|
|
|
|
always_run: yes
|
2017-01-09 16:38:21 +01:00
|
|
|
|
2017-01-06 15:50:48 +01:00
|
|
|
- name: Begin marker for IP addresses
|
|
|
|
lineinfile:
|
|
|
|
dest: /etc/default/minifirewall
|
|
|
|
create: no
|
|
|
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
|
|
|
insertbefore: '^# Main interface'
|
|
|
|
|
|
|
|
- name: End marker for IP addresses
|
|
|
|
lineinfile:
|
|
|
|
dest: /etc/default/minifirewall
|
|
|
|
create: no
|
|
|
|
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
|
|
|
insertafter: '^PRIVILEGIEDIPS='
|
|
|
|
|
|
|
|
- name: Configure IP addresses
|
|
|
|
blockinfile:
|
|
|
|
dest: /etc/default/minifirewall
|
|
|
|
create: no
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
|
|
|
content: |
|
|
|
|
INT='{{ minifirewall_int }}'
|
|
|
|
IPV6='{{ minifirewall_ipv6 }}'
|
|
|
|
INTLAN='{{ minifirewall_intlan }}'
|
|
|
|
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
|
|
|
|
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
|
2017-01-09 16:38:21 +01:00
|
|
|
register: minifirewall_config_ips
|
2017-01-06 15:50:48 +01:00
|
|
|
|
|
|
|
- name: Begin marker for ports
|
|
|
|
lineinfile:
|
|
|
|
dest: /etc/default/minifirewall
|
|
|
|
create: no
|
|
|
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
|
|
insertbefore: '^# Protected services'
|
|
|
|
|
|
|
|
- name: End marker for ports
|
|
|
|
lineinfile:
|
|
|
|
dest: /etc/default/minifirewall
|
|
|
|
create: no
|
|
|
|
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
|
|
insertafter: '^SERVICESUDP3='
|
|
|
|
|
|
|
|
- name: Configure ports
|
|
|
|
blockinfile:
|
|
|
|
dest: /etc/default/minifirewall
|
|
|
|
create: no
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
|
|
content: |
|
|
|
|
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
|
|
|
|
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
|
|
|
|
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
|
|
|
|
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
|
|
|
|
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
|
|
|
|
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
|
|
|
|
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
|
|
|
|
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
2017-01-09 16:38:21 +01:00
|
|
|
register: minifirewall_config_ports
|
|
|
|
|
|
|
|
- name: restart minifirewall
|
|
|
|
service:
|
|
|
|
name: minifirewall
|
|
|
|
state: restarted
|
|
|
|
when: minifirewall_is_running.rc == 0 and (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
|