Smarter firewall handling again
This commit is contained in:
parent
59febe2622
commit
67f29a6e32
|
@ -1,7 +1,10 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
- name: Move main LAN and VPN networks to zone 'drop'
|
||||
- name: General firewall rules
|
||||
notify: Reload firewalld
|
||||
block:
|
||||
- name: Move main LAN and VPN networks to zone 'drop'
|
||||
ansible.posix.firewalld:
|
||||
zone: drop
|
||||
source: "{{ item }}"
|
||||
|
@ -11,21 +14,21 @@
|
|||
- 192.168.1.0/24
|
||||
- 192.168.8.0/24
|
||||
|
||||
- name: Move lab network to zone 'dmz'
|
||||
- name: Move lab network to zone 'dmz'
|
||||
ansible.posix.firewalld:
|
||||
zone: dmz
|
||||
source: 192.168.17.0/24
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
- name: Move internal network to zone 'internal'
|
||||
- name: Move internal network to zone 'internal'
|
||||
ansible.posix.firewalld:
|
||||
zone: internal
|
||||
source: 10.2.0.0/16
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
- name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal'
|
||||
- name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal'
|
||||
ansible.posix.firewalld:
|
||||
zone: "{{ item }}"
|
||||
service: ssh
|
||||
|
@ -35,29 +38,30 @@
|
|||
- dmz
|
||||
- internal
|
||||
|
||||
# When sapt-labx-ctl01 is deployed
|
||||
# - name: Allow incoming connections from jump host to SSH port in zone 'dmz'
|
||||
# ansible.posix.firewalld:
|
||||
# zone: dmz
|
||||
# source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
|
||||
# service: ssh
|
||||
# permanent: true
|
||||
# state: enabled
|
||||
|
||||
# Until sapt-labx-ctl01 is deployed
|
||||
- name: Allow incoming connections to SSH port in zone 'drop'
|
||||
# Until sapt-labx-ctl01 is deployed
|
||||
- name: Allow incoming connections to SSH port in zone 'drop'
|
||||
ansible.posix.firewalld:
|
||||
zone: drop
|
||||
service: ssh
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
# When sapt-labx-ctl01 is deployed
|
||||
# - name: Allow incoming connections from jump host to SSH port in zone 'dmz'
|
||||
# ansible.posix.firewalld:
|
||||
# zone: dmz
|
||||
# source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
|
||||
# service: ssh
|
||||
# permanent: true
|
||||
# state: enabled
|
||||
|
||||
- name: Firewall rules for production and staging
|
||||
loop:
|
||||
- prod
|
||||
- stage
|
||||
loop_control:
|
||||
loop_var: env
|
||||
notify: Reload firewalld
|
||||
block:
|
||||
- name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
|
||||
ansible.posix.firewalld:
|
||||
|
|
|
@ -6,7 +6,6 @@
|
|||
|
||||
- name: Configure firewall
|
||||
ansible.builtin.import_tasks: firewall.yml
|
||||
notify: Reload firewalld
|
||||
|
||||
- name: Configure user accounts
|
||||
ansible.builtin.import_tasks: users.yml
|
||||
|
|
Loading…
Reference in a new issue