thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Enable UFW and deny everything by default 

Removed unused status checks on UFW
Justin Plock 10 years ago
parent
ea0b288818
commit
1d7986fd96
1 changed files with 3 additions and 9 deletions
Unified View Show Diff Stats
  1. 3
    9
      roles/common/tasks/ufw.yml

+ 3
- 9
roles/common/tasks/ufw.yml View File

5 
 - name: Install ufw
 5 
 - name: Install ufw
6 
   apt: pkg=ufw state=present
 6 
   apt: pkg=ufw state=present
7
7
8 
+- name: Deny everything and enable UFW
9 
+  ufw: state=enabled policy=deny
10 
+
8 
 - name: Set firewall rule for DNS
 11 
 - name: Set firewall rule for DNS
9 
   ufw: rule=allow port=domain
 12 
   ufw: rule=allow port=domain
10
13
18 
     - http
 21 
     - http
19 
     - https
 22 
     - https
20
23
21 
-- name: Check status of ufw
22 
-  command: ufw status
23 
-  register: ufw_status
24 
-  changed_when: False  # never report as "changed"
25 
-
26 
 - name: Check config of ufw
 24 
 - name: Check config of ufw
27 
   command: cat /etc/ufw/ufw.conf
 25 
   command: cat /etc/ufw/ufw.conf
28 
   register: ufw_config
 26 
   register: ufw_config
31 
 - name: Disable logging (workaround for known bug in Debian 7)
 29 
 - name: Disable logging (workaround for known bug in Debian 7)
32 
   ufw: logging=off
 30 
   ufw: logging=off
33 
   when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
 31 
   when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
34 
-
35 
-- name: Enable ufw
36 
-  ufw: state=enabled
37 
-  when: "ufw_status.stdout.startswith('Status: inactive') or 'ENABLED=yes' not in ufw_config.stdout"

Write Preview
Loading…
Cancel
Save