Improve firewall config

This commit is contained in:
Sam A. 2023-11-11 21:09:17 +01:00
parent 54f9d3c11b
commit 704319cff6
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA

View file

@ -1,7 +1,15 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
- name: Move DMZ network to zone 'dmz' - name: Move main LAN network to zone 'drop'
ansible.posix.firewalld:
zone: drop
source: 192.168.1.0/24
permanent: true
immediate: true
state: enabled
- name: Move lab network to zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: dmz
source: 192.168.17.0/24 source: 192.168.17.0/24
@ -9,27 +17,34 @@
immediate: true immediate: true
state: enabled state: enabled
- name: Move interface 'eth1' to zone 'internal' - name: Move internal network to zone 'internal'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: internal zone: internal
interface: eth1 source: 10.2.0.0/16
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
when: hostname in groups['virtualservers']
# Until sapt-labx-ctl01 is deployed - name: Default deny incoming connections to SSH port in zone 'dmz'
- name: Allow incoming connections from main LAN to SSH port
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: dmz
source: 192.168.1.0/24
service: ssh service: ssh
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: disabled
when: true
- name: Default deny incoming connections to SSH port in zone 'internal'
ansible.posix.firewalld:
zone: internal
service: ssh
permanent: true
immediate: true
state: disabled
when: hostname in groups['virtualservers']
# When sapt-labx-ctl01 is deployed # When sapt-labx-ctl01 is deployed
- name: Allow incoming connections from jump host to SSH port - name: Allow incoming connections from jump host to SSH port in zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: dmz
source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}" source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
@ -37,31 +52,39 @@
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
when: false when: false # hostname not in groups['control_infra']
# Until sapt-labx-ctl01 is deployed
- name: Allow incoming connections to SSH port in zone 'drop'
ansible.posix.firewalld:
zone: drop
service: ssh
permanent: true
immediate: true
state: enabled
when: true
- name: Firewall rules for group 'control_infra' - name: Firewall rules for group 'control_infra'
when: hostname in groups['control_infra'] when: hostname in groups['control_infra']
block: block:
- name: Allow incoming connections from main LAN to SSH port - name: Allow incoming connections to SSH port in zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: dmz
source: 192.168.1.0/24
service: ssh service: ssh
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
- name: Allow incoming connections from LAN to DNS port - name: Allow incoming connections to DNS port in zones 'drop' and 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: "{{ item }}"
source: 192.168.0.0/16 service: dns
port: 53/{{ item }}
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
loop: loop:
- tcp - drop
- udp - dmz
- name: Firewall rules for production and staging - name: Firewall rules for production and staging
loop: loop:
@ -74,7 +97,7 @@
ansible.posix.firewalld: ansible.posix.firewalld:
zone: internal zone: internal
source: "{{ hostvars[item].internal_ipv4 }}" source: "{{ hostvars[item].internal_ipv4 }}"
port: 5432/tcp service: postgresql
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled