forked from evolix/ansible-roles
minifirewall: main file is configurable
This commit is contained in:
parent
74f25e8183
commit
c3e4a78442
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
|
||||
minifirewall_main_file: /etc/default/minifirewall
|
||||
minifirewall_tail_file: /etc/default/minifirewall.tail
|
||||
minifirewall_tail_included: False
|
||||
minifirewall_tail_force: True
|
||||
|
|
|
@ -20,14 +20,14 @@
|
|||
|
||||
- name: Begin marker for IP addresses
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
insertbefore: '^# Main interface'
|
||||
|
||||
- name: End marker for IP addresses
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
insertafter: '^PRIVILEGIEDIPS='
|
||||
|
@ -41,7 +41,7 @@
|
|||
|
||||
- name: Configure IP addresses
|
||||
blockinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
content: |
|
||||
|
@ -65,21 +65,21 @@
|
|||
|
||||
- name: Begin marker for ports
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertbefore: '^# Protected services'
|
||||
|
||||
- name: End marker for ports
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertafter: '^SERVICESUDP3='
|
||||
|
||||
- name: Configure ports
|
||||
blockinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
content: |
|
||||
|
@ -103,14 +103,14 @@
|
|||
|
||||
- name: evomaintenance
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||
insertafter: "^# EvoMaintenance"
|
||||
with_items: "{{ evomaintenance_hosts }}"
|
||||
|
||||
- name: remove minifirewall example rule for the evomaintenance
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
|
||||
state: absent
|
||||
when: evomaintenance_hosts != []
|
||||
|
|
|
@ -8,8 +8,8 @@
|
|||
- iptables
|
||||
|
||||
- name: init script is copied
|
||||
copy:
|
||||
src: minifirewall
|
||||
template:
|
||||
src: minifirewall.j2
|
||||
dest: /etc/init.d/minifirewall
|
||||
force: no
|
||||
mode: "0700"
|
||||
|
@ -19,7 +19,7 @@
|
|||
- name: configuration is copied
|
||||
copy:
|
||||
src: minifirewall.conf
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
force: no
|
||||
mode: "0600"
|
||||
owner: root
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
|
||||
- name: source minifirewall.tail at the end of the main file
|
||||
blockinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
|
||||
block: ". {{ minifirewall_tail_file }}"
|
||||
insertbefore: EOF
|
||||
|
|
|
@ -111,7 +111,7 @@ $IPT -A LOG_ACCEPT -j ACCEPT
|
|||
|
||||
# Configuration
|
||||
oldconfigfile="/etc/firewall.rc"
|
||||
configfile="/etc/default/minifirewall"
|
||||
configfile="{{ minifirewall_main_file }}"
|
||||
|
||||
if test -f $oldconfigfile; then
|
||||
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
||||
|
@ -382,4 +382,3 @@ trap - INT TERM EXIT
|
|||
esac
|
||||
|
||||
exit 0
|
||||
|
Loading…
Reference in a new issue