| 12345678910111213141516171819202122232425262728293031323334353637383940414243 |
- ---
- # Installs and configures ufw, which in turn uses iptables for firewall management
-
- # ufw includes sensible icmp defaults
- - name: Install ufw
- apt: pkg=ufw state=present
-
- - name: Set firewall rules
- command: ufw allow {{ item }}
- register: ufw_result
- changed_when: "ufw_result.stdout.startswith('Rule')"
- with_items:
- - smtp/tcp
- - domain
- - http/tcp
- - https/tcp
- - ssh/tcp
- - ssmtp/tcp
- - pop3s/tcp
- - imaps/tcp
- - 5222/tcp # xmpp c2s
- - 5269/tcp # xmpp s2s
- - 6697/tcp # znc
- - "{{ openvpn_port }}/{{ openvpn_protocol }}"
- - 60000:61000/udp # mosh udp packets
-
- - name: Check status of ufw
- command: ufw status
- register: ufw_status
- changed_when: False # never report as "changed"
-
- - name: Check config of ufw
- command: cat /etc/ufw/ufw.conf
- register: ufw_config
- changed_when: False # never report as "changed"
-
- - name: Disable logging (workaround for known bug in Debian 7)
- command: ufw logging off
- when: "ansible_lsb['codename'] == 'wheezy' and 'LOGLEVEL=off' not in ufw_config.stdout"
-
- - name: Enable ufw
- command: ufw --force enable
- when: "ufw_status.stdout.startswith('Status: inactive') or 'ENABLED=yes' not in ufw_config.stdout"
|
