roles/common: bring Ubuntu firewall changes to Debian 11

Note that there is currently an issue loading the spamhaus rules on
Debian 11 when using ipsets with firewalld and the nftables backend.
The bug is apparently caused by overlapping CIDR segments, and the
solution appears to be that we need to manually aggregate them with
a tool like aggregate6 (Python).

See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
See: https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration#using-ipsets-in-firewalld-on-rhel-centos-8
See: https://github.com/job/aggregate6
This commit is contained in:
Alan Orth 2021-07-24 23:09:33 +03:00
parent d4ede33099
commit 38c333045b
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9

View File

@ -14,7 +14,7 @@
apt: pkg={{ debian_firewall_packages }} state=present apt: pkg={{ debian_firewall_packages }} state=present
- name: Use iptables backend in firewalld - name: Use iptables backend in firewalld
when: ansible_distribution_major_version is version('10', '>=') when: ansible_distribution_major_version is version('10', '==')
lineinfile: lineinfile:
dest: /etc/firewalld/firewalld.conf dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=nftables$' regexp: '^FirewallBackend=nftables$'
@ -26,7 +26,7 @@
# backend. Using individual calls seems to work around it. # backend. Using individual calls seems to work around it.
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722 # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
- name: Use individual iptables calls - name: Use individual iptables calls
when: ansible_distribution_major_version is version('10', '>=') when: ansible_distribution_major_version is version('10', '==')
lineinfile: lineinfile:
dest: /etc/firewalld/firewalld.conf dest: /etc/firewalld/firewalld.conf
regexp: '^IndividualCalls=no$' regexp: '^IndividualCalls=no$'
@ -50,6 +50,31 @@
loop: loop:
- abusers-ipv4.xml - abusers-ipv4.xml
- abusers-ipv6.xml - abusers-ipv6.xml
- spamhaus-ipv4.xml
- spamhaus-ipv6.xml
notify:
- restart firewalld
- name: Copy Spamhaus update script
when: ansible_distribution_version is version('9', '>=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus systemd units
when: ansible_distribution_version is version('9', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-lists.service
- update-spamhaus-lists.timer
register: spamhaus_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
when: spamhaus_systemd_units is changed
- name: Start and enable Spamhaus update timer
when: ansible_distribution_version is version('9', '>=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify: notify:
- restart firewalld - restart firewalld