From 67f29a6e322a176571b7e9cbdbc2f541e18b79aa Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 12 Nov 2023 18:22:08 +0100 Subject: [PATCH] Smarter firewall handling again --- roles/vm-common/tasks/firewall.yml | 94 ++++++++++++++++-------------- roles/vm-common/tasks/main.yml | 1 - 2 files changed, 49 insertions(+), 46 deletions(-) diff --git a/roles/vm-common/tasks/firewall.yml b/roles/vm-common/tasks/firewall.yml index da0bf0c..3ed24e1 100644 --- a/roles/vm-common/tasks/firewall.yml +++ b/roles/vm-common/tasks/firewall.yml @@ -1,56 +1,59 @@ # vim: ft=yaml.ansible # code: language=ansible --- -- name: Move main LAN and VPN networks to zone 'drop' - ansible.posix.firewalld: - zone: drop - source: "{{ item }}" - permanent: true - state: enabled - loop: - - 192.168.1.0/24 - - 192.168.8.0/24 +- name: General firewall rules + notify: Reload firewalld + block: + - name: Move main LAN and VPN networks to zone 'drop' + ansible.posix.firewalld: + zone: drop + source: "{{ item }}" + permanent: true + state: enabled + loop: + - 192.168.1.0/24 + - 192.168.8.0/24 -- name: Move lab network to zone 'dmz' - ansible.posix.firewalld: - zone: dmz - source: 192.168.17.0/24 - permanent: true - state: enabled + - name: Move lab network to zone 'dmz' + ansible.posix.firewalld: + zone: dmz + source: 192.168.17.0/24 + permanent: true + state: enabled -- name: Move internal network to zone 'internal' - ansible.posix.firewalld: - zone: internal - source: 10.2.0.0/16 - permanent: true - state: enabled + - name: Move internal network to zone 'internal' + ansible.posix.firewalld: + zone: internal + source: 10.2.0.0/16 + permanent: true + state: enabled -- name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal' - ansible.posix.firewalld: - zone: "{{ item }}" - service: ssh - permanent: true - state: disabled - loop: - - dmz - - internal + - name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal' + ansible.posix.firewalld: + zone: "{{ item }}" + service: ssh + permanent: true + state: disabled + loop: + - dmz + - internal -# When sapt-labx-ctl01 is deployed -# - name: Allow incoming connections from jump host to SSH port in zone 'dmz' -# ansible.posix.firewalld: -# zone: dmz -# source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}" -# service: ssh -# permanent: true -# state: enabled + # Until sapt-labx-ctl01 is deployed + - name: Allow incoming connections to SSH port in zone 'drop' + ansible.posix.firewalld: + zone: drop + service: ssh + permanent: true + state: enabled -# Until sapt-labx-ctl01 is deployed -- name: Allow incoming connections to SSH port in zone 'drop' - ansible.posix.firewalld: - zone: drop - service: ssh - permanent: true - state: enabled + # When sapt-labx-ctl01 is deployed + # - name: Allow incoming connections from jump host to SSH port in zone 'dmz' + # ansible.posix.firewalld: + # zone: dmz + # source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}" + # service: ssh + # permanent: true + # state: enabled - name: Firewall rules for production and staging loop: @@ -58,6 +61,7 @@ - stage loop_control: loop_var: env + notify: Reload firewalld block: - name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal' ansible.posix.firewalld: diff --git a/roles/vm-common/tasks/main.yml b/roles/vm-common/tasks/main.yml index 0486378..5ecff15 100644 --- a/roles/vm-common/tasks/main.yml +++ b/roles/vm-common/tasks/main.yml @@ -6,7 +6,6 @@ - name: Configure firewall ansible.builtin.import_tasks: firewall.yml - notify: Reload firewalld - name: Configure user accounts ansible.builtin.import_tasks: users.yml