ansible-personal/roles/common/tasks/firewall_Debian.yml

---
# Debian 11+ will use nftables directly, with no firewalld.

- name: Install Debian firewall packages
  when: ansible_distribution_major_version is version('11', '>=')
  ansible.builtin.package:
    name:
      - libnet-ip-perl # for aggregate-cidr-addresses.pl
      - nftables
      - curl # for nftables update scripts
    state: present
    cache_valid_time: 3600

- name: Remove iptables on newer Debian
  when: ansible_distribution_major_version is version('11', '>=')
  ansible.builtin.apt:
    pkg: iptables
    state: absent

- name: Configure nftables
  ansible.builtin.include_tasks: nftables.yml
  when: ansible_distribution_version is version('11', '>=')

- ansible.builtin.include_tasks: fail2ban.yml
  when:
    - ansible_distribution_major_version is version('9', '>=')

# vim: set sw=2 ts=2:
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-17 00:35:57 +03:00			`---`
Minor comment updates for Debian 12 2023-08-09 21:51:53 +02:00			`# Debian 11+ will use nftables directly, with no firewalld.`
roles/common: Add firewalld support Needed in Ubuntu 15.04 where iptables-persistent is going away. I have added translations of the current IPv4 and IPv6 iptables rules. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-07 12:42:03 +03:00
roles/common: simplify firewall tasks Apply firewall tag to included tasks, then we don't need to use a block. 2025-01-27 22:30:50 +03:00			`- name: Install Debian firewall packages`
			`when: ansible_distribution_major_version is version('11', '>=')`
			`ansible.builtin.package:`
			`name:`
			`- libnet-ip-perl # for aggregate-cidr-addresses.pl`
			`- nftables`
			`- curl # for nftables update scripts`
			`state: present`
			`cache_valid_time: 3600`
roles/common: Use blocks to tag children of dynamic tasks When using dynamic includes, child tasks do not inherit tags from their parents. You must tag the parent and each child task separately, or use a block to group children and then apply a tag to a block. See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html 2018-04-26 16:58:35 +03:00
roles/common: simplify firewall tasks Apply firewall tag to included tasks, then we don't need to use a block. 2025-01-27 22:30:50 +03:00			`- name: Remove iptables on newer Debian`
			`when: ansible_distribution_major_version is version('11', '>=')`
			`ansible.builtin.apt:`
			`pkg: iptables`
			`state: absent`
roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
roles/common: use common nftables task Use a common nftables task on Debian and Ubuntu. 2025-01-27 22:40:29 +03:00			`- name: Configure nftables`
			`ansible.builtin.include_tasks: nftables.yml`
roles/common: simplify firewall tasks Apply firewall tag to included tasks, then we don't need to use a block. 2025-01-27 22:30:50 +03:00			`when: ansible_distribution_version is version('11', '>=')`
roles/common: Start nftables service later We should only try to start the nftables service after we finish copying all the config files just in case there is some unclean state in one of them. On a first run this shouldn't matter, but after nftables and some abuse list update scripts have run this can happen (mostly in testing!). 2021-07-29 10:05:15 +03:00
roles/common: simplify firewall tasks Apply firewall tag to included tasks, then we don't need to use a block. 2025-01-27 22:30:50 +03:00			`- ansible.builtin.include_tasks: fail2ban.yml`
			`when:`
			`- ansible_distribution_major_version is version('9', '>=')`
roles/common: Add missing vim modelines 2018-04-25 18:55:22 +03:00
			`# vim: set sw=2 ts=2:`