exam-laptop/roles/ufw/tasks/main.yml

66 lines
1.8 KiB
YAML
Raw Normal View History

2024-05-08 16:45:42 +02:00
- name: Install ufw
apt: package=ufw state=present
- name: Configure ufw defaults
2024-05-08 17:00:52 +02:00
ufw:
direction: "{{ item.direction }}"
policy: "{{ item.policy }}"
loop:
2024-05-08 16:45:42 +02:00
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'deny' }
# disable ipv6
- lineinfile:
path: /etc/default/ufw
state: present
regexp: '^IPV6'
line: 'IPV6=no'
- name: Enable ufw logging
2024-05-08 17:00:52 +02:00
ufw:
logging: off
2024-05-08 16:45:42 +02:00
- name: Commenting a line.
replace:
path: /etc/ufw/before.rules
regexp: '^(?!#)(.*limit --limit*)'
replace: '#\1'
2024-05-08 17:00:52 +02:00
- name: Allow all access to tcp port 3142
2024-05-08 16:45:42 +02:00
ufw:
rule: allow
port: '3142'
direction: '{{ item }}'
2024-05-08 17:00:52 +02:00
loop:
2024-05-08 16:45:42 +02:00
- in
- out
2024-05-08 17:00:52 +02:00
- name: set some allow rules
2024-05-08 16:45:42 +02:00
ufw:
rule: allow
2024-05-08 17:00:52 +02:00
port: "{{ item.port }}"
direction: "{{ item.direction }}"
dest: "{{ item.destination }}"
loop:
- { port: '22', direction: 'in', destination: '10.0.0.0/24' }
- { port: '22', direction: 'out', destination: '10.0.0.0/24' }
- { port: '22', direction: 'in', destination: '10.16.0.0/12' }
- { port: '22', direction: 'out', destination: '10.16.0.0/12' }
- { port: '22', direction: 'in', destination: '162.55.5.40/32' }
- { port: '22', direction: 'out', destination: '162.55.5.40/32' }
- { port: '53', direction: 'in', destination: '10.16.0.0/12' }
- { port: '53', direction: 'out', destination: '10.16.0.0/12' }
- { port: '443', direction: 'in', destination: '10.16.0.0/12' }
- { port: '443', direction: 'out', destination: '10.16.0.0/12' }
- { port: '443', direction: 'in', destination: '162.55.5.40/32' }
- { port: '443', direction: 'out', destination: '162.55.5.40/32' }
2024-05-08 17:11:42 +02:00
- name: Enable ufw
ufw:
state: enabled
- name: start ufw service
service:
name: ufw
state: restarted