diff options
author | Milo Casagrande <milo.casagrande@linaro.org> | 2014-12-23 15:07:52 +0100 |
---|---|---|
committer | Milo Casagrande <milo.casagrande@linaro.org> | 2014-12-23 15:07:52 +0100 |
commit | 4c4a05f6f5cd8d8e07d7f38dd0d567f862c324ce (patch) | |
tree | fc1cb5b14443abf1004155146dea461929bcb53b /ansible/roles/firewall | |
parent | 365266db9afaba7add6d847016f2d7929ab16de1 (diff) |
ansible: Fix firewall role.
Change-Id: I3f68bb22351fca830a3b9a741033d8c3a773f39d
Diffstat (limited to 'ansible/roles/firewall')
-rw-r--r-- | ansible/roles/firewall/tasks/main.yml | 36 |
1 files changed, 23 insertions, 13 deletions
diff --git a/ansible/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml index 0c960e7..4ed9268 100644 --- a/ansible/roles/firewall/tasks/main.yml +++ b/ansible/roles/firewall/tasks/main.yml @@ -1,39 +1,53 @@ --- -- name: Install UFW package +- name: Install ufw package apt: pkg=ufw state=latest update_cache=yes tags: - firewall -- name: Allow traffic through port 53 +- name: Fix default config file + lineinfile: dest=/etc/default/ufw + backup=yes + regexp=^IPT_SYSCTL= + state=present + line=IPT_SYSCTL=/etc/sysctl.conf + tags: + - firewall + +- name: Enable logging + ufw: logging=low + tags: + - firewall + +- name: Allow dns traffic ufw: rule=allow port=53 tags: - firewall -- name: Allow SSH connections +- name: Allow ssh connections ufw: rule=allow port=22 proto=tcp tags: - firewall -- name: Rate limit SSH connections +- name: Rate limit ssh connections ufw: rule=limit port=22 proto=tcp tags: - firewall -- name: Accept connections on port 80 +- name: Accept web connections ufw: rule=allow port=80 proto=tcp tags: - firewall -- name: Deny traffic and log it +- name: Deny auth traffic and log it ufw: rule=reject port=auth log=yes @@ -41,19 +55,15 @@ - firewall - name: Accept Zabbix traffic - ufw: rule=accept + ufw: rule=allow direction=in from={{ zabbix_ip }} port=10050 - tags: - - firewall - -- name: Enable logging - ufw: logging=low + when: role == "production" tags: - firewall - name: Enable ufw - ufw: sate=enabled + ufw: state=enabled tags: - firewall |