lab-ansible/roles/virt-common/tasks/firewall.yml

119 lines
3.1 KiB
YAML

# vim: ft=yaml.ansible
# code: language=ansible
---
- name: General firewall rules
notify: Reload firewalld
block:
- name: Move Guest LAN and and IoT LAN networks to zone 'drop'
ansible.posix.firewalld:
zone: drop
source: "{{ item }}"
permanent: true
state: enabled
loop:
- 192.168.2.0/24
- 192.168.4.0/24
- name: Move Home LAN and VPN networks to zone 'dmz'
ansible.posix.firewalld:
zone: dmz
source: "{{ item }}"
permanent: true
state: enabled
loop:
- 192.168.1.0/24
- 192.168.8.0/24
- name: Move Lab LAN network to zone 'public'
ansible.posix.firewalld:
zone: public
source: 192.168.17.0/24
permanent: true
state: enabled
- name: Move internal network to zone 'internal'
ansible.posix.firewalld:
zone: internal
source: 10.2.0.0/16
permanent: true
state: enabled
- name: Default deny incoming connections to SSH port in all zones
ansible.posix.firewalld:
zone: "{{ item }}"
service: ssh
permanent: true
state: disabled
loop:
- drop
- dmz
- public
- internal
# Until sapt-labx-ctl01 is deployed
- name: Allow incoming connections to SSH port in zone 'dmz'
ansible.posix.firewalld:
zone: dmz
service: ssh
permanent: true
state: enabled
# When sapt-labx-ctl01 is deployed
# - name: Allow incoming connections from control machines to SSH port in zone 'public'
# ansible.posix.firewalld:
# zone: public
# source: "{{ hostvars[item].ansible_host }}"
# service: ssh
# permanent: true
# state: enabled
# loop: "{{ groups['control_infra'] }}"
- name: Firewall rules for database servers
when: hostname in groups['dbservers']
notify: Reload firewalld
block:
- name: Allow incoming connections from internal subnet to PostgreSQL port in zone 'internal'
ansible.posix.firewalld:
zone: internal
source: "{{ internal_subnet }}"
service: postgresql
permanent: true
state: enabled
- name: Firewall rules for proxy servers
when: hostname in group['proxyservers']
notify: Reload firewalld
block:
- name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz'
ansible.posix.firewalld:
zone: "{{ item }}"
service: http
permanent: true
state: enabled
loop:
- drop
- dmz
- name: Allow incoming connections to HTTPS port in zones 'drop' and 'dmz'
ansible.posix.firewalld:
zone: "{{ item }}"
service: https
permanent: true
state: enabled
loop:
- drop
- dmz
- name: Allow incoming connections to HTTP/3 port in zones 'drop' and 'dmz'
ansible.posix.firewalld:
zone: "{{ item }}"
service: http3
permanent: true
state: enabled
loop:
- drop
- dmz
- name: Flush handlers
ansible.builtin.meta: flush_handlers