ufw ausgelagert

2024-05-08 17:00:52 +02:00 · 2024-05-08 17:00:52 +02:00 · de879d3058
parent 025d0bac35
commit de879d3058
2 changed files with 32 additions and 87 deletions
--- a/playbook.yml
+++ b/playbook.yml
@ -2,17 +2,19 @@
 - name: ensure safe environment for exams
  hosts: localhost
  vars:
-    - config_ufw: true
    - pruefungsuser: "pruefling"
    - pruefungsgruppe: "prueflinge"
    - pruefungspasswort: "pruefung"
+  environment:
+    PATH: "/sbin:{{ ansible_env.PATH }}"
+

 # to verify ufw configuration run:
 # sudo ufw status verbose
  roles:
    - role: pruefungsuser
    - role: libreoffice
-
+    - role: ufw

  tasks:

--- a/roles/ufw/tasks/main.yml
+++ b/roles/ufw/tasks/main.yml
@ -2,12 +2,12 @@
  apt: package=ufw state=present

 - name: Configure ufw defaults
-  ufw: direction={{ item.direction }} policy={{ item.policy }}
-  with_items:
+  ufw: 
+    direction: "{{ item.direction }}"
+    policy: "{{ item.policy }}"
+  loop:
    - { direction: 'incoming', policy: 'deny' }
    - { direction: 'outgoing', policy: 'deny' }
-  environment:
-    PATH: /sbin:{{ ansible_env.PATH }}       

 # disable ipv6
 - lineinfile:
@ -17,99 +17,42 @@
    line: 'IPV6=no'

 - name: Enable ufw logging
-  ufw: logging=off
-  environment:
-    PATH: /sbin:{{ ansible_env.PATH }} 
+  ufw: 
+    logging: off

 - name: Commenting a line.
  replace:
    path: /etc/ufw/before.rules
    regexp: '^(?!#)(.*limit --limit*)'
    replace: '#\1'
-  when: config_ufw
- name: Allow all access to tcp port 123
+
+- name: Allow all access to tcp port 3142
  ufw:
    rule: allow
    port: '3142'
    direction: '{{ item }}'
-  with_items:
+  loop:
    - in
    - out
-  when: config_ufw
-  environment:
-    PATH: /sbin:{{ ansible_env.PATH }}    

- name: Allow SSH-Access to some servers
+- name: set some allow rules
  ufw:
    rule: allow
-    direction: '{{ item.direction }}'
-    dest: '{{ item.destination }}'
-    port: '22'
-  with_items:
-    - { direction: 'in',  destination: '10.0.0.1/32' }
-    - { direction: 'out', destination: '10.0.0.1/32' }
-    - { direction: 'in',  destination: '10.0.2.254/32' }
-    - { direction: 'out', destination: '10.0.2.243/32' }
-    - { direction: 'in',  destination: '10.16.109.252/32' }
-    - { direction: 'out', destination: '10.16.109.252/32' }
-    - { direction: 'in',  destination: '10.16.1.1/32' }
-    - { direction: 'out', destination: '10.16.1.1/32' }
-    - { direction: 'in',  destination: '162.55.5.40/32' }
-    - { direction: 'out', destination: '162.55.5.40/32' }
-  when: config_ufw
-  environment:
-    PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow https-Access to some servers
-  ufw:
-    rule: allow
-    direction: '{{ item.direction }}'
-    dest: '{{ item.destination }}'
-    port: '443'
-  with_items:
-    - { direction: 'in',  destination: '10.0.0.1/32' }
-    - { direction: 'out', destination: '10.0.0.1/32' }
-    - { direction: 'in',  destination: '10.0.2.254/32' }
-    - { direction: 'out', destination: '10.0.2.243/32' }
-    - { direction: 'in',  destination: '10.16.109.252/32' }
-    - { direction: 'out', destination: '10.16.109.252/32' }
-    - { direction: 'in',  destination: '10.16.1.1/32' }
-    - { direction: 'out', destination: '10.16.1.1/32' }
-    - { direction: 'in',  destination: '162.55.5.40/32' }
-    - { direction: 'out', destination: '162.55.5.40/32' }
-  when: config_ufw
-  environment:
-    PATH: /sbin:{{ ansible_env.PATH }}      
- name: Allow apt-proxy-Access to some servers
-  ufw:
-    rule: allow
-    direction: '{{ item.direction }}'
-    dest: '{{ item.destination }}'
-    port: '3142'
-  with_items:
-    - { direction: 'in',  destination: '10.0.2.254/32' }
-    - { direction: 'out', destination: '10.0.2.243/32' }
-    - { direction: 'in',  destination: '10.16.1.3/32' }
-    - { direction: 'out', destination: '10.16.1.3/32' }
-  environment:
-    PATH: /sbin:{{ ansible_env.PATH }}    
- name: Allow DNS-Access to some servers
-  ufw:
-    rule: allow
-    direction: '{{ item.direction }}'
-    dest: '{{ item.destination }}'
-    port: '53'
-  with_items:
-    - { direction: 'in',  destination: '10.0.0.1/32' }
-    - { direction: 'out', destination: '10.0.0.1/32' }
-    - { direction: 'in',  destination: '10.16.1.1/32' }
-    - { direction: 'out', destination: '10.16.1.1/32' }
-  when: config_ufw
-  environment:
-    PATH: /sbin:{{ ansible_env.PATH }}
- name: Allow dns
-  ufw: rule={{ item.rule }} port={{ item.port }}
-  with_items:
-    - { rule: 'allow', port: '53'}
-  when: config_ufw
-  environment:
-    PATH: /sbin:{{ ansible_env.PATH }}
+    port: "{{ item.port }}"
+    direction: "{{ item.direction }}"
+    dest: "{{ item.destination }}"
+  loop:
+    - { port: '22', direction: 'in', destination: '10.0.0.0/24' }
+    - { port: '22', direction: 'out', destination: '10.0.0.0/24' }
+    - { port: '22', direction: 'in', destination: '10.16.0.0/12' }
+    - { port: '22', direction: 'out', destination: '10.16.0.0/12' }
+    - { port: '22', direction: 'in', destination: '162.55.5.40/32' }
+    - { port: '22', direction: 'out', destination: '162.55.5.40/32' }
+    - { port: '53', direction: 'in', destination: '10.16.0.0/12' }
+    - { port: '53', direction: 'out', destination: '10.16.0.0/12' }
+    - { port: '443', direction: 'in', destination: '10.16.0.0/12' }
+    - { port: '443', direction: 'out', destination: '10.16.0.0/12' }
+    - { port: '443', direction: 'in', destination: '162.55.5.40/32' }
+    - { port: '443', direction: 'out', destination: '162.55.5.40/32' }
+
+