# vim: ft=yaml.ansible # code: language=ansible --- - name: Move DMZ network to zone 'dmz' ansible.posix.firewalld: zone: dmz source: 192.168.17.0/24 permanent: true immediate: true state: enabled - name: Move interface 'eth1' to zone 'internal' ansible.posix.firewalld: zone: internal interface: eth1 permanent: true immediate: true state: enabled # Until sapt-labx-ctl01 is deployed - name: Allow incoming connections from main LAN to SSH port ansible.posix.firewalld: zone: dmz source: 192.168.1.0/24 service: ssh permanent: true immediate: true state: enabled when: true # When sapt-labx-ctl01 is deployed - name: Allow incoming connections from jump host to SSH port ansible.posix.firewalld: zone: dmz source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}" service: ssh permanent: true immediate: true state: enabled when: false - name: Firewall rules for group 'control_infra' when: hostname in groups['control_infra'] block: - name: Allow incoming connections from main LAN to SSH port ansible.posix.firewalld: zone: dmz source: 192.168.1.0/24 service: ssh permanent: true immediate: true state: enabled - name: Allow incoming connections from LAN to DNS port ansible.posix.firewalld: zone: dmz source: 192.168.0.0/16 port: 53/{{ item }} permanent: true immediate: true state: enabled loop: - tcp - udp - name: Firewall rules for production and staging loop: - prod - stage loop_control: loop_var: env block: - name: Allow incoming connections from app servers to PostgreSQL ansible.posix.firewalld: zone: internal source: "{{ hostvars[item].internal_ipv4 }}" port: 5432/tcp permanent: true immediate: true state: enabled loop: "{{ groups['app_' + env] }}" when: hostname in groups['db_' + env]