-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
the order of rules matters in ufw. We add the new defaults for ssh we create a template file that can allow users to place these rules and have predictable implementation Closes #5520
- Loading branch information
Showing
6 changed files
with
88 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,19 +1,26 @@ | ||
| --- | ||
| # defaults file for roles/ufw_firewall | ||
| ufw_firewall_rules: | ||
| - service: ssh | ||
| port: 22 | ||
| protocol: tcp | ||
| allowed_cidrs: | ||
| - 10.249.64.0/18 | ||
| - 10.249.0.0/18 | ||
| - 128.112.0.0/16 | ||
| - 172.20.95.0/24 | ||
| - 172.20.192.0/19 | ||
| # example of http in your group_vars/project | ||
| # - service: http | ||
| # port: 80 | ||
| # protocol: tcp | ||
| # allowed_cidrs: | ||
| # - 128.112.200.0/21 | ||
| # - 128.112.0.0/16 | ||
| rules: | ||
| - protocol: tcp | ||
| source: 10.249.64.0/18 | ||
| port: 22 | ||
| action: ACCEPT | ||
| - protocol: tcp | ||
| source: 10.249.0.0/18 | ||
| port: 22 | ||
| action: ACCEPT | ||
| - protocol: tcp | ||
| source: 128.112.0.0/16 | ||
| port: 22 | ||
| action: ACCEPT | ||
| - protocol: tcp | ||
| source: 172.20.95.0/24 | ||
| port: 22 | ||
| action: ACCEPT | ||
| - protocol: tcp | ||
| source: 172.20.192.0/19 | ||
| port: 22 | ||
| action: ACCEPT | ||
| - protocol: tcp | ||
| source: 128.112.200.0/21 | ||
| port: 80 | ||
| action: ACCEPT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| --- | ||
| # handlers file for roles/ufw_firewall | ||
| - name: restart ufw | ||
| - name: Restart ufw | ||
| ansible.builtin.service: | ||
| name: ufw | ||
| state: restarted |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,22 @@ | ||
| --- | ||
| # tasks file for roles/ufw_firewall | ||
|
|
||
| - name: UFW | Install UFW | ||
| ansible.builtin.package: | ||
| name: ufw | ||
| state: present | ||
|
|
||
| - name: UFW | Enable UFW | ||
| community.general.ufw: | ||
| state: enabled | ||
| - name: UFW | Reload UFW to apply changes | ||
| ansible.builtin.command: ufw enable | ||
| changed_when: false | ||
|
|
||
| - name: UFW | generic rules | ||
| ansible.builtin.include_tasks: rules.yml | ||
| loop: "{{ ufw_firewall_rules }}" | ||
| loop_control: | ||
| loop_var: rule | ||
| - name: UFW | generic rules template | ||
| ansible.builtin.template: | ||
| src: user.rules.j2 | ||
| dest: "/etc/ufw/user.rules" | ||
| owner: root | ||
| group: root | ||
| mode: "0640" | ||
|
|
||
| - name: UFW | Deny all other incoming traffic | ||
| community.general.ufw: | ||
| rule: deny | ||
| direction: in | ||
| - name: UFW | Reload UFW to apply changes | ||
| ansible.builtin.command: ufw reload | ||
| changed_when: false |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| # {{ ansible_managed | comment }} | ||
| *filter | ||
| :ufw-user-input - [0:0] | ||
| :ufw-user-output - [0:0] | ||
| :ufw-user-forward - [0:0] | ||
| :ufw-before-logging-input - [0:0] | ||
| :ufw-before-logging-output - [0:0] | ||
| :ufw-before-logging-forward - [0:0] | ||
| :ufw-user-logging-input - [0:0] | ||
| :ufw-user-logging-output - [0:0] | ||
| :ufw-user-logging-forward - [0:0] | ||
| :ufw-after-logging-input - [0:0] | ||
| :ufw-after-logging-output - [0:0] | ||
| :ufw-after-logging-forward - [0:0] | ||
| :ufw-logging-deny - [0:0] | ||
| :ufw-logging-allow - [0:0] | ||
| :ufw-user-limit - [0:0] | ||
| :ufw-user-limit-accept - [0:0] | ||
|
|
||
| ### RULES ### | ||
| {% for rule in rules %} | ||
| -A ufw-user-input -p {{ rule.protocol }} -s {{ rule.source }} --dport {{ rule.port }} -j {{ rule.action }} | ||
| {% endfor %} | ||
| -A ufw-user-input -j DROP | ||
|
|
||
| ### END RULES ### | ||
| ### LOGGING ### | ||
| -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 | ||
| -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 | ||
| -I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 | ||
| -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 | ||
| -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 | ||
| ### END LOGGING ### | ||
|
|
||
| ### RATE LIMITING ### | ||
| -A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " | ||
| -A ufw-user-limit -j REJECT | ||
| -A ufw-user-limit-accept -j ACCEPT | ||
| ### END RATE LIMITING ### | ||
| COMMIT |