Browse Source

Merge pull request #69 from ariddell/ufw

Replace ferm with ufw
Alex Payne 11 years ago
parent
commit
c46c1cd1f9

+ 0
- 36
roles/common/files/etc_ferm_ferm.conf View File

@@ -1,36 +0,0 @@
1
-# Firewall configuration for a web and SMTP server.
2
-# See http://ferm.foo-projects.org/
3
-
4
-table filter {
5
-    chain INPUT {
6
-        policy DROP;
7
-
8
-        # connection tracking
9
-        mod state state INVALID DROP;
10
-        mod state state (ESTABLISHED RELATED) ACCEPT;
11
-
12
-        # allow local connections
13
-        interface lo ACCEPT;
14
-
15
-        # respond to ping
16
-        proto icmp icmp-type echo-request ACCEPT;
17
-
18
-        # expose our services to the world:
19
-        # dns, web, ssh, imap + ssl, smtp + ssl, znc
20
-        proto tcp dport (25 53 http https ssh 993 465 6697) ACCEPT;
21
-
22
-        # openvpn
23
-        proto udp dport 1194 ACCEPT;
24
-
25
-        # mosh port range
26
-        proto udp dport 60000:61000 ACCEPT;
27
-
28
-        # the rest is dropped by the above policy
29
-    }
30
-
31
-    # outgoing connections are not limited
32
-    chain OUTPUT policy ACCEPT;
33
-
34
-    # this is not a router
35
-    chain FORWARD policy DROP;
36
-}

+ 0
- 4
roles/common/handlers/ferm.yml View File

@@ -1,4 +0,0 @@
1
----
2
-
3
-- name: reload ferm rules
4
-  command: /etc/init.d/ferm reload

+ 0
- 2
roles/common/handlers/main.yml View File

@@ -12,5 +12,3 @@
12 12
 
13 13
 - name: restart ssh
14 14
   service: name=ssh state=restarted
15
-
16
-- include: ferm.yml

+ 0
- 13
roles/common/tasks/ferm.yml View File

@@ -1,13 +0,0 @@
1
----
2
-# Installs and configures ferm, which in turn uses iptables for firewall management
3
-
4
-- name: Install ferm
5
-  apt: pkg=ferm state=present
6
-
7
-- name: Create ferm configuration directory
8
-  file: path=/etc/ferm state=directory
9
-
10
-- name: Copy ferm firewall rules into place
11
-  copy: src=etc_ferm_ferm.conf dest=/etc/ferm/ferm.conf
12
-  notify:
13
-    - reload ferm rules

+ 1
- 1
roles/common/tasks/main.yml View File

@@ -47,5 +47,5 @@
47 47
 - include: encfs.yml tags=encfs
48 48
 - include: users.yml tags=users
49 49
 - include: ssl.yml tags=ssl
50
-- include: ferm.yml tags=ferm
50
+- include: ufw.yml tags=ufw
51 51
 - include: security.yml tags=security

+ 31
- 0
roles/common/tasks/ufw.yml View File

@@ -0,0 +1,31 @@
1
+---
2
+# Installs and configures ufw, which in turn uses iptables for firewall management
3
+
4
+# ufw includes sensible icmp defaults
5
+- name: Install ufw
6
+  apt: pkg=ufw state=present
7
+
8
+- name: Set firewall rules
9
+  command: ufw allow {{ item }}
10
+  register: ufw_result
11
+  changed_when: "ufw_result.stdout.startswith('Rule')"
12
+  with_items:
13
+    - smtp/tcp
14
+    - domain/tcp
15
+    - http/tcp
16
+    - https/tcp
17
+    - ssh/tcp
18
+    - ssmtp/tcp
19
+    - imaps/tcp
20
+    - 6697/tcp  # znc
21
+    - openvpn/udp
22
+    - 60000:61000/udp  # mosh udp packets
23
+
24
+- name: Check status of ufw
25
+  command: ufw status
26
+  register: ufw_status
27
+  changed_when: False  # never report as "changed"
28
+
29
+- name: Enable ufw
30
+  command: ufw --force enable
31
+  when: "ufw_status.stdout.startswith('Status: inactive')"

Loading…
Cancel
Save