2017-01-06 15:50:48 +01:00
|
|
|
---
|
|
|
|
|
2017-11-26 12:32:33 +01:00
|
|
|
- debug:
|
|
|
|
var: minifirewall_trusted_ips
|
|
|
|
verbosity: 1
|
|
|
|
- debug:
|
|
|
|
var: minifirewall_privilegied_ips
|
|
|
|
verbosity: 1
|
|
|
|
|
2018-12-04 14:27:17 +01:00
|
|
|
- name: Stat minifirewall config file (before)
|
|
|
|
stat:
|
|
|
|
path: "{{ minifirewall_main_file }}"
|
|
|
|
register: minifirewall_before
|
|
|
|
|
2017-01-09 16:38:21 +01:00
|
|
|
- name: Check if minifirewall is running
|
2017-01-31 17:41:33 +01:00
|
|
|
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
2017-01-09 16:38:21 +01:00
|
|
|
changed_when: False
|
|
|
|
failed_when: False
|
2017-03-24 14:15:09 +01:00
|
|
|
check_mode: no
|
2017-01-09 16:38:21 +01:00
|
|
|
register: minifirewall_is_running
|
2017-01-31 17:42:32 +01:00
|
|
|
|
|
|
|
- debug:
|
2017-04-11 16:13:10 +02:00
|
|
|
var: minifirewall_is_running
|
|
|
|
verbosity: 1
|
2017-01-09 16:38:21 +01:00
|
|
|
|
2017-01-06 15:50:48 +01:00
|
|
|
- name: Begin marker for IP addresses
|
|
|
|
lineinfile:
|
2018-12-04 14:24:14 +01:00
|
|
|
dest: "{{ minifirewall_main_file }}"
|
2017-01-06 15:50:48 +01:00
|
|
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
|
|
|
insertbefore: '^# Main interface'
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2017-01-06 15:50:48 +01:00
|
|
|
|
|
|
|
- name: End marker for IP addresses
|
|
|
|
lineinfile:
|
2018-12-04 14:24:14 +01:00
|
|
|
dest: "{{ minifirewall_main_file }}"
|
2017-01-06 15:50:48 +01:00
|
|
|
create: no
|
|
|
|
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
|
|
|
insertafter: '^PRIVILEGIEDIPS='
|
|
|
|
|
2020-01-08 17:19:13 +01:00
|
|
|
- name: Verify that at least 1 trusted IP is provided
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- minifirewall_trusted_ips != []
|
2017-03-22 18:12:30 +01:00
|
|
|
msg: You must provide at least 1 trusted IP
|
2020-01-08 17:19:13 +01:00
|
|
|
|
2017-09-14 14:26:44 +02:00
|
|
|
- debug:
|
|
|
|
msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!"
|
|
|
|
when: minifirewall_trusted_ips == ["0.0.0.0/0"]
|
2017-03-22 18:12:30 +01:00
|
|
|
|
2017-01-06 15:50:48 +01:00
|
|
|
- name: Configure IP addresses
|
|
|
|
blockinfile:
|
2018-12-04 14:24:14 +01:00
|
|
|
dest: "{{ minifirewall_main_file }}"
|
2017-01-06 15:50:48 +01:00
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
2020-12-02 15:22:35 +01:00
|
|
|
block: |
|
2017-01-31 17:44:31 +01:00
|
|
|
# Main interface
|
2017-01-06 15:50:48 +01:00
|
|
|
INT='{{ minifirewall_int }}'
|
2017-01-31 17:44:31 +01:00
|
|
|
|
|
|
|
# IPv6
|
2017-01-06 15:50:48 +01:00
|
|
|
IPV6='{{ minifirewall_ipv6 }}'
|
2020-12-01 22:47:38 +01:00
|
|
|
|
|
|
|
# Docker Mode
|
|
|
|
# Changes the behaviour of minifirewall to not break the containers' network
|
|
|
|
# For instance, turning it on will disable nat table purge
|
|
|
|
# Also, we'll add the DOCKER-USER chain, in iptable
|
|
|
|
DOCKER='{{ minifirewall_docker }}'
|
2017-01-31 17:44:31 +01:00
|
|
|
|
|
|
|
# Trusted IPv4 local network
|
|
|
|
# ...will be often IP/32 if you don't trust anything
|
2017-01-06 15:50:48 +01:00
|
|
|
INTLAN='{{ minifirewall_intlan }}'
|
2017-01-31 17:44:31 +01:00
|
|
|
|
|
|
|
# Trusted IPv4 addresses for private and semi-public services
|
2017-01-06 15:50:48 +01:00
|
|
|
TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'
|
2017-01-31 17:44:31 +01:00
|
|
|
|
|
|
|
# Privilegied IPv4 addresses for semi-public services
|
|
|
|
# (no need to add again TRUSTEDIPS)
|
2017-01-06 15:50:48 +01:00
|
|
|
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2017-01-09 16:38:21 +01:00
|
|
|
register: minifirewall_config_ips
|
2017-01-06 15:50:48 +01:00
|
|
|
|
|
|
|
- name: Begin marker for ports
|
|
|
|
lineinfile:
|
2018-12-04 14:24:14 +01:00
|
|
|
dest: "{{ minifirewall_main_file }}"
|
2017-01-06 15:50:48 +01:00
|
|
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
|
|
insertbefore: '^# Protected services'
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2017-01-06 15:50:48 +01:00
|
|
|
|
|
|
|
- name: End marker for ports
|
|
|
|
lineinfile:
|
2018-12-04 14:24:14 +01:00
|
|
|
dest: "{{ minifirewall_main_file }}"
|
2017-01-06 15:50:48 +01:00
|
|
|
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
|
|
|
insertafter: '^SERVICESUDP3='
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2017-01-06 15:50:48 +01:00
|
|
|
|
|
|
|
- name: Configure ports
|
|
|
|
blockinfile:
|
2018-12-04 14:24:14 +01:00
|
|
|
dest: "{{ minifirewall_main_file }}"
|
2017-01-06 15:50:48 +01:00
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
2020-12-02 15:22:35 +01:00
|
|
|
block: |
|
2017-01-31 17:44:31 +01:00
|
|
|
# Protected services
|
|
|
|
# (add also in Public services if needed)
|
2017-01-06 15:50:48 +01:00
|
|
|
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
|
|
|
|
SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'
|
2017-01-31 17:44:31 +01:00
|
|
|
|
|
|
|
# Public services (IPv4/IPv6)
|
2017-01-06 15:50:48 +01:00
|
|
|
SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
|
|
|
|
SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'
|
2017-01-31 17:44:31 +01:00
|
|
|
|
|
|
|
# Semi-public services (IPv4)
|
2017-01-06 15:50:48 +01:00
|
|
|
SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
|
|
|
|
SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'
|
2017-01-31 17:44:31 +01:00
|
|
|
|
|
|
|
# Private services (IPv4)
|
2017-01-06 15:50:48 +01:00
|
|
|
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
|
|
|
|
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2017-01-09 16:38:21 +01:00
|
|
|
register: minifirewall_config_ports
|
|
|
|
|
2018-12-04 14:30:15 +01:00
|
|
|
- name: Configure DNSSERVEURS
|
|
|
|
lineinfile:
|
|
|
|
dest: "{{ minifirewall_main_file }}"
|
|
|
|
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
|
|
|
|
regexp: "DNSSERVEURS='.*'"
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2018-12-04 14:30:15 +01:00
|
|
|
when: minifirewall_dns_servers is not none
|
|
|
|
|
|
|
|
- name: Configure HTTPSITES
|
|
|
|
lineinfile:
|
|
|
|
dest: "{{ minifirewall_main_file }}"
|
|
|
|
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
|
|
|
regexp: "HTTPSITES='.*'"
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2018-12-04 14:30:15 +01:00
|
|
|
when: minifirewall_http_sites is not none
|
|
|
|
|
|
|
|
- name: Configure HTTPSSITES
|
|
|
|
lineinfile:
|
|
|
|
dest: "{{ minifirewall_main_file }}"
|
|
|
|
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
|
|
|
|
regexp: "HTTPSSITES='.*'"
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2018-12-04 14:30:15 +01:00
|
|
|
when: minifirewall_https_sites is not none
|
|
|
|
|
|
|
|
- name: Configure FTPSITES
|
|
|
|
lineinfile:
|
|
|
|
dest: "{{ minifirewall_main_file }}"
|
|
|
|
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
|
|
|
|
regexp: "FTPSITES='.*'"
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2018-12-04 14:30:15 +01:00
|
|
|
when: minifirewall_ftp_sites is not none
|
|
|
|
|
|
|
|
- name: Configure SSHOK
|
|
|
|
lineinfile:
|
|
|
|
dest: "{{ minifirewall_main_file }}"
|
|
|
|
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
|
|
|
|
regexp: "SSHOK='.*'"
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2018-12-04 14:30:15 +01:00
|
|
|
when: minifirewall_ssh_ok is not none
|
|
|
|
|
|
|
|
- name: Configure SMTPOK
|
|
|
|
lineinfile:
|
|
|
|
dest: "{{ minifirewall_main_file }}"
|
|
|
|
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
|
|
|
|
regexp: "SMTPOK='.*'"
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2018-12-04 14:30:15 +01:00
|
|
|
when: minifirewall_smtp_ok is not none
|
|
|
|
|
|
|
|
- name: Configure SMTPSECUREOK
|
|
|
|
lineinfile:
|
|
|
|
dest: "{{ minifirewall_main_file }}"
|
|
|
|
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
|
|
|
|
regexp: "SMTPSECUREOK='.*'"
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2018-12-04 14:30:15 +01:00
|
|
|
when: minifirewall_smtp_secure_ok is not none
|
|
|
|
|
|
|
|
- name: Configure NTPOK
|
|
|
|
lineinfile:
|
|
|
|
dest: "{{ minifirewall_main_file }}"
|
|
|
|
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
|
|
|
|
regexp: "NTPOK='.*'"
|
2019-01-01 20:02:50 +01:00
|
|
|
create: no
|
2018-12-04 14:30:15 +01:00
|
|
|
when: minifirewall_ntp_ok is not none
|
|
|
|
|
2017-10-07 23:39:50 +02:00
|
|
|
- name: evomaintenance
|
|
|
|
lineinfile:
|
2018-12-04 14:24:14 +01:00
|
|
|
dest: "{{ minifirewall_main_file }}"
|
2017-10-07 23:39:50 +02:00
|
|
|
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
|
|
insertafter: "^# EvoMaintenance"
|
|
|
|
with_items: "{{ evomaintenance_hosts }}"
|
|
|
|
|
|
|
|
- name: remove minifirewall example rule for the evomaintenance
|
|
|
|
lineinfile:
|
2018-12-04 14:24:14 +01:00
|
|
|
dest: "{{ minifirewall_main_file }}"
|
2017-10-07 23:39:50 +02:00
|
|
|
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
|
|
|
|
state: absent
|
|
|
|
when: evomaintenance_hosts != []
|
|
|
|
|
2018-12-04 14:27:17 +01:00
|
|
|
- name: Stat minifirewall config file (after)
|
|
|
|
stat:
|
|
|
|
path: "{{ minifirewall_main_file }}"
|
|
|
|
register: minifirewall_after
|
|
|
|
|
2017-01-09 16:38:21 +01:00
|
|
|
- name: restart minifirewall
|
2017-01-31 17:43:10 +01:00
|
|
|
# service:
|
|
|
|
# name: minifirewall
|
|
|
|
# state: restarted
|
|
|
|
command: /etc/init.d/minifirewall restart
|
|
|
|
register: minifirewall_init_restart
|
|
|
|
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
|
|
|
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
2018-08-30 17:04:14 +02:00
|
|
|
when:
|
|
|
|
- minifirewall_restart_if_needed
|
|
|
|
- minifirewall_is_running.rc == 0
|
2018-12-04 14:27:17 +01:00
|
|
|
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
|
2018-08-30 17:04:14 +02:00
|
|
|
|
|
|
|
- name: restart minifirewall (noop)
|
|
|
|
meta: noop
|
|
|
|
register: minifirewall_init_restart
|
|
|
|
failed_when: False
|
|
|
|
changed_when: False
|
|
|
|
when: not minifirewall_restart_if_needed
|
2017-04-11 16:13:10 +02:00
|
|
|
|
|
|
|
- debug:
|
|
|
|
var: minifirewall_init_restart
|
|
|
|
verbosity: 2
|