|
@@ -5,29 +5,21 @@
|
5
|
5
|
- name: Install ufw
|
6
|
6
|
apt: pkg=ufw state=present
|
7
|
7
|
|
8
|
|
-- name: Set firewall rules
|
9
|
|
- command: ufw allow {{ item }}
|
10
|
|
- register: ufw_result
|
11
|
|
- changed_when: "ufw_result.stdout.startswith('Rule')"
|
12
|
|
- with_items:
|
13
|
|
- - smtp/tcp
|
14
|
|
- - domain
|
15
|
|
- - http/tcp
|
16
|
|
- - https/tcp
|
17
|
|
- - ssh/tcp
|
18
|
|
- - ssmtp/tcp
|
19
|
|
- - pop3s/tcp
|
20
|
|
- - imaps/tcp
|
21
|
|
- - 5222/tcp # xmpp c2s
|
22
|
|
- - 5269/tcp # xmpp s2s
|
23
|
|
- - 6697/tcp # znc
|
24
|
|
- - "{{ openvpn_port }}/{{ openvpn_protocol }}"
|
25
|
|
- - 60000:61000/udp # mosh udp packets
|
|
8
|
+- name: Deny everything and enable UFW
|
|
9
|
+ ufw: state=enabled policy=deny
|
26
|
10
|
|
27
|
|
-- name: Check status of ufw
|
28
|
|
- command: ufw status
|
29
|
|
- register: ufw_status
|
30
|
|
- changed_when: False # never report as "changed"
|
|
11
|
+- name: Set firewall rule for DNS
|
|
12
|
+ ufw: rule=allow port=domain
|
|
13
|
+
|
|
14
|
+- name: Set firewall rule for mosh
|
|
15
|
+ ufw: rule=allow port=60000:61000 proto=udp
|
|
16
|
+
|
|
17
|
+- name: Set firewall rules for web traffic and SSH
|
|
18
|
+ ufw: rule=allow port={{ item }} proto=tcp
|
|
19
|
+ with_items:
|
|
20
|
+ - ssh
|
|
21
|
+ - http
|
|
22
|
+ - https
|
31
|
23
|
|
32
|
24
|
- name: Check config of ufw
|
33
|
25
|
command: cat /etc/ufw/ufw.conf
|
|
@@ -35,9 +27,5 @@
|
35
|
27
|
changed_when: False # never report as "changed"
|
36
|
28
|
|
37
|
29
|
- name: Disable logging (workaround for known bug in Debian 7)
|
38
|
|
- command: ufw logging off
|
|
30
|
+ ufw: logging=off
|
39
|
31
|
when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
|
40
|
|
-
|
41
|
|
-- name: Enable ufw
|
42
|
|
- command: ufw --force enable
|
43
|
|
- when: "ufw_status.stdout.startswith('Status: inactive') or 'ENABLED=yes' not in ufw_config.stdout"
|