ufw ausgelagert

This commit is contained in:
Jesko 2024-05-08 17:00:52 +02:00
parent 025d0bac35
commit de879d3058
2 changed files with 32 additions and 87 deletions

View File

@ -2,17 +2,19 @@
- name: ensure safe environment for exams - name: ensure safe environment for exams
hosts: localhost hosts: localhost
vars: vars:
- config_ufw: true
- pruefungsuser: "pruefling" - pruefungsuser: "pruefling"
- pruefungsgruppe: "prueflinge" - pruefungsgruppe: "prueflinge"
- pruefungspasswort: "pruefung" - pruefungspasswort: "pruefung"
environment:
PATH: "/sbin:{{ ansible_env.PATH }}"
# to verify ufw configuration run: # to verify ufw configuration run:
# sudo ufw status verbose # sudo ufw status verbose
roles: roles:
- role: pruefungsuser - role: pruefungsuser
- role: libreoffice - role: libreoffice
- role: ufw
tasks: tasks:

View File

@ -2,12 +2,12 @@
apt: package=ufw state=present apt: package=ufw state=present
- name: Configure ufw defaults - name: Configure ufw defaults
ufw: direction={{ item.direction }} policy={{ item.policy }} ufw:
with_items: direction: "{{ item.direction }}"
policy: "{{ item.policy }}"
loop:
- { direction: 'incoming', policy: 'deny' } - { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'deny' } - { direction: 'outgoing', policy: 'deny' }
environment:
PATH: /sbin:{{ ansible_env.PATH }}
# disable ipv6 # disable ipv6
- lineinfile: - lineinfile:
@ -17,99 +17,42 @@
line: 'IPV6=no' line: 'IPV6=no'
- name: Enable ufw logging - name: Enable ufw logging
ufw: logging=off ufw:
environment: logging: off
PATH: /sbin:{{ ansible_env.PATH }}
- name: Commenting a line. - name: Commenting a line.
replace: replace:
path: /etc/ufw/before.rules path: /etc/ufw/before.rules
regexp: '^(?!#)(.*limit --limit*)' regexp: '^(?!#)(.*limit --limit*)'
replace: '#\1' replace: '#\1'
when: config_ufw
- name: Allow all access to tcp port 123 - name: Allow all access to tcp port 3142
ufw: ufw:
rule: allow rule: allow
port: '3142' port: '3142'
direction: '{{ item }}' direction: '{{ item }}'
with_items: loop:
- in - in
- out - out
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow SSH-Access to some servers - name: set some allow rules
ufw: ufw:
rule: allow rule: allow
direction: '{{ item.direction }}' port: "{{ item.port }}"
dest: '{{ item.destination }}' direction: "{{ item.direction }}"
port: '22' dest: "{{ item.destination }}"
with_items: loop:
- { direction: 'in', destination: '10.0.0.1/32' } - { port: '22', direction: 'in', destination: '10.0.0.0/24' }
- { direction: 'out', destination: '10.0.0.1/32' } - { port: '22', direction: 'out', destination: '10.0.0.0/24' }
- { direction: 'in', destination: '10.0.2.254/32' } - { port: '22', direction: 'in', destination: '10.16.0.0/12' }
- { direction: 'out', destination: '10.0.2.243/32' } - { port: '22', direction: 'out', destination: '10.16.0.0/12' }
- { direction: 'in', destination: '10.16.109.252/32' } - { port: '22', direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '10.16.109.252/32' } - { port: '22', direction: 'out', destination: '162.55.5.40/32' }
- { direction: 'in', destination: '10.16.1.1/32' } - { port: '53', direction: 'in', destination: '10.16.0.0/12' }
- { direction: 'out', destination: '10.16.1.1/32' } - { port: '53', direction: 'out', destination: '10.16.0.0/12' }
- { direction: 'in', destination: '162.55.5.40/32' } - { port: '443', direction: 'in', destination: '10.16.0.0/12' }
- { direction: 'out', destination: '162.55.5.40/32' } - { port: '443', direction: 'out', destination: '10.16.0.0/12' }
when: config_ufw - { port: '443', direction: 'in', destination: '162.55.5.40/32' }
environment: - { port: '443', direction: 'out', destination: '162.55.5.40/32' }
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow https-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '443'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.109.252/32' }
- { direction: 'out', destination: '10.16.109.252/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
- { direction: 'in', destination: '162.55.5.40/32' }
- { direction: 'out', destination: '162.55.5.40/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow apt-proxy-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '3142'
with_items:
- { direction: 'in', destination: '10.0.2.254/32' }
- { direction: 'out', destination: '10.0.2.243/32' }
- { direction: 'in', destination: '10.16.1.3/32' }
- { direction: 'out', destination: '10.16.1.3/32' }
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow DNS-Access to some servers
ufw:
rule: allow
direction: '{{ item.direction }}'
dest: '{{ item.destination }}'
port: '53'
with_items:
- { direction: 'in', destination: '10.0.0.1/32' }
- { direction: 'out', destination: '10.0.0.1/32' }
- { direction: 'in', destination: '10.16.1.1/32' }
- { direction: 'out', destination: '10.16.1.1/32' }
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow dns
ufw: rule={{ item.rule }} port={{ item.port }}
with_items:
- { rule: 'allow', port: '53'}
when: config_ufw
environment:
PATH: /sbin:{{ ansible_env.PATH }}