From 2d9eb03b66ab829f49c47ad567f1ce8dbb006816 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Mon, 25 Dec 2023 20:36:14 +0100 Subject: [PATCH] Simplify FW rules, handling in router FW --- roles/virt-common/tasks/firewall.yml | 64 ++++------------------------ 1 file changed, 9 insertions(+), 55 deletions(-) diff --git a/roles/virt-common/tasks/firewall.yml b/roles/virt-common/tasks/firewall.yml index f16e8e0..797d906 100644 --- a/roles/virt-common/tasks/firewall.yml +++ b/roles/virt-common/tasks/firewall.yml @@ -4,35 +4,13 @@ - name: General firewall rules notify: Reload firewalld block: - - name: Move Guest LAN and and IoT LAN networks to zone 'drop' - ansible.posix.firewalld: - zone: drop - source: "{{ item }}" - permanent: true - state: enabled - loop: - - 192.168.2.0/24 - - 192.168.4.0/24 - - - name: Move Home LAN and VPN networks to zone 'dmz' + - name: Move LAN networks to zone 'dmz' ansible.posix.firewalld: zone: dmz - source: "{{ item }}" + source: 192.168.0.0/16 permanent: true state: enabled loop: - - 192.168.1.0/24 - - 192.168.8.0/24 - - - name: Move Secure LAN and Lab LAN networks to zone 'public' - ansible.posix.firewalld: - zone: public - source: "{{ item }}" - permanent: true - state: enabled - loop: - - 192.168.17.0/24 - - 192.168.23.0/24 - name: Move internal network to zone 'internal' ansible.posix.firewalld: @@ -41,19 +19,12 @@ permanent: true state: enabled - - name: Default deny incoming connections to SSH port in all zones + - name: Deny incoming connections to SSH port in default zone ansible.posix.firewalld: - zone: "{{ item }}" service: ssh permanent: true state: disabled - loop: - - drop - # - dmz - - public - - internal - # Until sapt-labx-ctl01 is deployed - name: Allow incoming connections to SSH port in zone 'dmz' ansible.posix.firewalld: zone: dmz @@ -61,14 +32,6 @@ permanent: true state: enabled - # When sapt-labx-ctl01 is deployed - # - name: Allow incoming connections from control machines to SSH port in zone 'public' - # ansible.posix.firewalld: - # zone: public - # service: ssh - # permanent: true - # state: enabled - - name: Firewall rules for database servers when: hostname in groups['dbservers'] notify: Reload firewalld @@ -84,35 +47,26 @@ when: hostname in groups['proxyservers'] notify: Reload firewalld block: - - name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz' + - name: Allow incoming connections to HTTP port in zone 'dmz' ansible.posix.firewalld: - zone: "{{ item }}" + zone: dmz service: http permanent: true state: enabled - loop: - - drop - - dmz - - name: Allow incoming connections to HTTPS port in zones 'drop' and 'dmz' + - name: Allow incoming connections to HTTPS port in zone 'dmz' ansible.posix.firewalld: - zone: "{{ item }}" + zone: dmz service: https permanent: true state: enabled - loop: - - drop - - dmz - - name: Allow incoming connections to HTTP/3 port in zones 'drop' and 'dmz' + - name: Allow incoming connections to HTTP/3 port in zone 'dmz' ansible.posix.firewalld: - zone: "{{ item }}" + zone: dmz service: http3 permanent: true state: enabled - loop: - - drop - - dmz - name: Flush handlers ansible.builtin.meta: flush_handlers