# vim: ft=yaml.ansible # code: language=ansible --- - name: General firewall rules notify: Reload firewalld block: - name: Move Guest LAN and and IoT LAN networks to zone 'drop' ansible.posix.firewalld: zone: drop source: "{{ item }}" permanent: true state: enabled loop: - 192.168.2.0/24 - 192.168.4.0/24 - name: Move Home LAN and VPN networks to zone 'dmz' ansible.posix.firewalld: zone: dmz source: "{{ item }}" permanent: true state: enabled loop: - 192.168.1.0/24 - 192.168.8.0/24 - name: Move Lab LAN network to zone 'public' ansible.posix.firewalld: zone: public source: 192.168.17.0/24 permanent: true state: enabled - name: Move internal network to zone 'internal' ansible.posix.firewalld: zone: internal source: 10.2.0.0/16 permanent: true state: enabled - name: Default deny incoming connections to SSH port in all zones ansible.posix.firewalld: zone: "{{ item }}" service: ssh permanent: true state: disabled loop: - drop - dmz - public - internal # Until sapt-labx-ctl01 is deployed - name: Allow incoming connections to SSH port in zone 'dmz' ansible.posix.firewalld: zone: dmz service: ssh permanent: true state: enabled # When sapt-labx-ctl01 is deployed # - name: Allow incoming connections from control machines to SSH port in zone 'public' # ansible.posix.firewalld: # zone: public # source: "{{ hostvars[item].ansible_host }}" # service: ssh # permanent: true # state: enabled # loop: "{{ groups['control_infra'] }}" - name: Firewall rules for DB servers when: hostname in groups['production'] or hostname in groups['staging'] notify: Reload firewalld block: - name: Production | Allow incoming connections from app servers to PostgreSQL port in zone 'internal' ansible.posix.firewalld: zone: internal source: "{{ hostvars[item].internal_ipv4 }}" service: postgresql permanent: true state: enabled loop: "{{ groups['app_prod'] }}" when: hostname in groups['db_prod'] - name: Staging | Allow incoming connections from app servers to PostgreSQL port in zone 'internal' ansible.posix.firewalld: zone: internal source: "{{ hostvars[item].internal_ipv4 }}" service: postgresql permanent: true state: enabled loop: "{{ groups['app_stage'] }}" when: hostname in groups['db_stage'] - name: Firewall rules for proxy servers when: hostname in group['proxyservers'] notify: Reload firewalld block: - name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz' ansible.posix.firewalld: zone: "{{ item }}" service: http permanent: true state: enabled loop: - drop - dmz - name: Allow incoming connections to HTTPS port in zones 'drop' and 'dmz' ansible.posix.firewalld: zone: "{{ item }}" service: https permanent: true state: enabled loop: - drop - dmz - name: Allow incoming connections to HTTP/3 port in zones 'drop' and 'dmz' ansible.posix.firewalld: zone: "{{ item }}" service: http3 permanent: true state: enabled loop: - drop - dmz - name: Flush handlers ansible.builtin.meta: flush_handlers