2023-10-28 23:00:05 +00:00
|
|
|
# vim: ft=yaml.ansible
|
2023-10-29 19:46:52 +00:00
|
|
|
# code: language=ansible
|
2023-10-28 23:00:05 +00:00
|
|
|
---
|
2023-11-12 17:22:08 +00:00
|
|
|
- name: General firewall rules
|
|
|
|
|
notify: Reload firewalld
|
|
|
|
|
block:
|
2023-12-25 19:36:14 +00:00
|
|
|
- name: Move LAN networks to zone 'dmz'
|
2023-11-13 20:17:17 +00:00
|
|
|
ansible.posix.firewalld:
|
|
|
|
|
zone: dmz
|
2023-12-25 19:36:14 +00:00
|
|
|
source: 192.168.0.0/16
|
2023-11-12 17:22:08 +00:00
|
|
|
permanent: true
|
|
|
|
|
state: enabled
|
2024-02-04 14:31:18 +00:00
|
|
|
when: instance_type != 'vps'
|
|
|
|
|
|
|
|
|
|
- name: Move home IP addresses to zone 'dmz'
|
|
|
|
|
ansible.posix.firewalld:
|
|
|
|
|
zone: dmz
|
|
|
|
|
source: "{{ item }}"
|
|
|
|
|
permanent: true
|
|
|
|
|
state: enabled
|
|
|
|
|
loop:
|
|
|
|
|
- '46.32.144.131'
|
|
|
|
|
- '2a06:4001:f02a::/48'
|
|
|
|
|
when: instance_type == 'vps'
|
2023-11-11 18:11:14 +00:00
|
|
|
|
2023-11-12 17:22:08 +00:00
|
|
|
- name: Move internal network to zone 'internal'
|
|
|
|
|
ansible.posix.firewalld:
|
|
|
|
|
zone: internal
|
|
|
|
|
source: 10.2.0.0/16
|
|
|
|
|
permanent: true
|
|
|
|
|
state: enabled
|
2023-11-11 20:09:17 +00:00
|
|
|
|
2023-12-28 20:04:33 +00:00
|
|
|
- name: Deny incoming connections to SSH port in zone 'public'
|
2023-11-12 17:22:08 +00:00
|
|
|
ansible.posix.firewalld:
|
2023-12-28 20:04:33 +00:00
|
|
|
zone: public
|
2023-11-12 17:22:08 +00:00
|
|
|
service: ssh
|
|
|
|
|
permanent: true
|
|
|
|
|
state: disabled
|
2023-11-11 18:11:14 +00:00
|
|
|
|
2023-11-13 20:17:17 +00:00
|
|
|
- name: Allow incoming connections to SSH port in zone 'dmz'
|
2023-11-12 17:22:08 +00:00
|
|
|
ansible.posix.firewalld:
|
2023-11-13 20:17:17 +00:00
|
|
|
zone: dmz
|
2023-11-12 17:22:08 +00:00
|
|
|
service: ssh
|
|
|
|
|
permanent: true
|
|
|
|
|
state: enabled
|
2023-11-11 20:09:17 +00:00
|
|
|
|
2023-11-26 16:37:17 +00:00
|
|
|
- name: Firewall rules for database servers
|
|
|
|
|
when: hostname in groups['dbservers']
|
2023-11-12 17:22:08 +00:00
|
|
|
notify: Reload firewalld
|
2023-11-11 18:11:14 +00:00
|
|
|
block:
|
2023-12-24 23:58:55 +00:00
|
|
|
- name: Allow incoming connections to PostgreSQL port in zone 'internal'
|
2023-11-11 18:11:14 +00:00
|
|
|
ansible.posix.firewalld:
|
|
|
|
|
zone: internal
|
2023-11-11 20:09:17 +00:00
|
|
|
service: postgresql
|
2023-11-11 18:11:14 +00:00
|
|
|
permanent: true
|
|
|
|
|
state: enabled
|
2023-11-12 17:18:56 +00:00
|
|
|
|
2024-02-04 14:31:18 +00:00
|
|
|
- name: Firewall rules for proxy & public servers
|
2024-02-06 19:14:08 +00:00
|
|
|
when: hostname in groups['proxyservers']
|
2023-11-13 20:17:17 +00:00
|
|
|
notify: Reload firewalld
|
|
|
|
|
block:
|
2023-12-28 20:04:33 +00:00
|
|
|
- name: Allow incoming connections to HTTP port in zones 'public' and 'dmz'
|
2023-11-13 20:17:17 +00:00
|
|
|
ansible.posix.firewalld:
|
2023-12-28 20:04:33 +00:00
|
|
|
zone: "{{ item }}"
|
2023-11-13 20:17:17 +00:00
|
|
|
service: http
|
|
|
|
|
permanent: true
|
|
|
|
|
state: enabled
|
2023-12-28 20:04:33 +00:00
|
|
|
loop:
|
|
|
|
|
- public
|
|
|
|
|
- dmz
|
2023-11-13 20:17:17 +00:00
|
|
|
|
2023-12-28 20:04:33 +00:00
|
|
|
- name: Allow incoming connections to HTTPS port in zones 'public' and 'dmz'
|
2023-11-13 20:17:17 +00:00
|
|
|
ansible.posix.firewalld:
|
2023-12-28 20:04:33 +00:00
|
|
|
zone: "{{ item }}"
|
2023-11-13 20:17:17 +00:00
|
|
|
service: https
|
|
|
|
|
permanent: true
|
|
|
|
|
state: enabled
|
2023-12-28 20:04:33 +00:00
|
|
|
loop:
|
|
|
|
|
- public
|
|
|
|
|
- dmz
|
2023-11-13 20:17:17 +00:00
|
|
|
|
2023-12-28 20:04:33 +00:00
|
|
|
- name: Allow incoming connections to HTTP/3 port in zones 'public' and 'dmz'
|
2023-11-13 20:17:17 +00:00
|
|
|
ansible.posix.firewalld:
|
2023-12-28 20:04:33 +00:00
|
|
|
zone: "{{ item }}"
|
2023-11-13 20:17:17 +00:00
|
|
|
service: http3
|
|
|
|
|
permanent: true
|
|
|
|
|
state: enabled
|
2023-12-28 20:04:33 +00:00
|
|
|
loop:
|
|
|
|
|
- public
|
|
|
|
|
- dmz
|
