diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml index 7241aeb..e6fffb1 100644 --- a/roles/common/tasks/firewall.yml +++ b/roles/common/tasks/firewall.yml @@ -1,7 +1,15 @@ # vim: ft=yaml.ansible # code: language=ansible --- -- name: Move DMZ network to zone 'dmz' +- name: Move main LAN network to zone 'drop' + ansible.posix.firewalld: + zone: drop + source: 192.168.1.0/24 + permanent: true + immediate: true + state: enabled + +- name: Move lab network to zone 'dmz' ansible.posix.firewalld: zone: dmz source: 192.168.17.0/24 @@ -9,27 +17,34 @@ immediate: true state: enabled -- name: Move interface 'eth1' to zone 'internal' +- name: Move internal network to zone 'internal' ansible.posix.firewalld: zone: internal - interface: eth1 + source: 10.2.0.0/16 permanent: true immediate: true state: enabled + when: hostname in groups['virtualservers'] -# Until sapt-labx-ctl01 is deployed -- name: Allow incoming connections from main LAN to SSH port +- name: Default deny incoming connections to SSH port in zone 'dmz' ansible.posix.firewalld: zone: dmz - source: 192.168.1.0/24 service: ssh permanent: true immediate: true - state: enabled - when: true + state: disabled + +- name: Default deny incoming connections to SSH port in zone 'internal' + ansible.posix.firewalld: + zone: internal + service: ssh + permanent: true + immediate: true + state: disabled + when: hostname in groups['virtualservers'] # When sapt-labx-ctl01 is deployed -- name: Allow incoming connections from jump host to SSH port +- name: Allow incoming connections from jump host to SSH port in zone 'dmz' ansible.posix.firewalld: zone: dmz source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}" @@ -37,31 +52,39 @@ permanent: true immediate: true state: enabled - when: false + when: false # hostname not in groups['control_infra'] + +# Until sapt-labx-ctl01 is deployed +- name: Allow incoming connections to SSH port in zone 'drop' + ansible.posix.firewalld: + zone: drop + service: ssh + permanent: true + immediate: true + state: enabled + when: true - name: Firewall rules for group 'control_infra' when: hostname in groups['control_infra'] block: - - name: Allow incoming connections from main LAN to SSH port + - name: Allow incoming connections to SSH port in zone 'dmz' ansible.posix.firewalld: zone: dmz - source: 192.168.1.0/24 service: ssh permanent: true immediate: true state: enabled - - name: Allow incoming connections from LAN to DNS port + - name: Allow incoming connections to DNS port in zones 'drop' and 'dmz' ansible.posix.firewalld: - zone: dmz - source: 192.168.0.0/16 - port: 53/{{ item }} + zone: "{{ item }}" + service: dns permanent: true immediate: true state: enabled loop: - - tcp - - udp + - drop + - dmz - name: Firewall rules for production and staging loop: @@ -74,7 +97,7 @@ ansible.posix.firewalld: zone: internal source: "{{ hostvars[item].internal_ipv4 }}" - port: 5432/tcp + service: postgresql permanent: true immediate: true state: enabled