119 lines
3.1 KiB
YAML
119 lines
3.1 KiB
YAML
# vim: ft=yaml.ansible
|
|
# code: language=ansible
|
|
---
|
|
- name: General firewall rules
|
|
notify: Reload firewalld
|
|
block:
|
|
- name: Move Guest LAN and and IoT LAN networks to zone 'drop'
|
|
ansible.posix.firewalld:
|
|
zone: drop
|
|
source: "{{ item }}"
|
|
permanent: true
|
|
state: enabled
|
|
loop:
|
|
- 192.168.2.0/24
|
|
- 192.168.4.0/24
|
|
|
|
- name: Move Home LAN and VPN networks to zone 'dmz'
|
|
ansible.posix.firewalld:
|
|
zone: dmz
|
|
source: "{{ item }}"
|
|
permanent: true
|
|
state: enabled
|
|
loop:
|
|
- 192.168.1.0/24
|
|
- 192.168.8.0/24
|
|
|
|
- name: Move Lab LAN network to zone 'public'
|
|
ansible.posix.firewalld:
|
|
zone: public
|
|
source: 192.168.17.0/24
|
|
permanent: true
|
|
state: enabled
|
|
|
|
- name: Move internal network to zone 'internal'
|
|
ansible.posix.firewalld:
|
|
zone: internal
|
|
source: 10.2.0.0/16
|
|
permanent: true
|
|
state: enabled
|
|
|
|
- name: Default deny incoming connections to SSH port in all zones
|
|
ansible.posix.firewalld:
|
|
zone: "{{ item }}"
|
|
service: ssh
|
|
permanent: true
|
|
state: disabled
|
|
loop:
|
|
- drop
|
|
- dmz
|
|
- public
|
|
- internal
|
|
|
|
# Until sapt-labx-ctl01 is deployed
|
|
- name: Allow incoming connections to SSH port in zone 'dmz'
|
|
ansible.posix.firewalld:
|
|
zone: dmz
|
|
service: ssh
|
|
permanent: true
|
|
state: enabled
|
|
|
|
# When sapt-labx-ctl01 is deployed
|
|
# - name: Allow incoming connections from control machines to SSH port in zone 'public'
|
|
# ansible.posix.firewalld:
|
|
# zone: public
|
|
# source: "{{ hostvars[item].ansible_host }}"
|
|
# service: ssh
|
|
# permanent: true
|
|
# state: enabled
|
|
# loop: "{{ groups['control_infra'] }}"
|
|
|
|
- name: Firewall rules for database servers
|
|
when: hostname in groups['dbservers']
|
|
notify: Reload firewalld
|
|
block:
|
|
- name: Allow incoming connections from internal subnet to PostgreSQL port in zone 'internal'
|
|
ansible.posix.firewalld:
|
|
zone: internal
|
|
source: "{{ internal_subnet }}"
|
|
service: postgresql
|
|
permanent: true
|
|
state: enabled
|
|
|
|
- name: Firewall rules for proxy servers
|
|
when: hostname in group['proxyservers']
|
|
notify: Reload firewalld
|
|
block:
|
|
- name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz'
|
|
ansible.posix.firewalld:
|
|
zone: "{{ item }}"
|
|
service: http
|
|
permanent: true
|
|
state: enabled
|
|
loop:
|
|
- drop
|
|
- dmz
|
|
|
|
- name: Allow incoming connections to HTTPS port in zones 'drop' and 'dmz'
|
|
ansible.posix.firewalld:
|
|
zone: "{{ item }}"
|
|
service: https
|
|
permanent: true
|
|
state: enabled
|
|
loop:
|
|
- drop
|
|
- dmz
|
|
|
|
- name: Allow incoming connections to HTTP/3 port in zones 'drop' and 'dmz'
|
|
ansible.posix.firewalld:
|
|
zone: "{{ item }}"
|
|
service: http3
|
|
permanent: true
|
|
state: enabled
|
|
loop:
|
|
- drop
|
|
- dmz
|
|
|
|
- name: Flush handlers
|
|
ansible.builtin.meta: flush_handlers
|