Compare commits
No commits in common. "df26b6c17e929bca05edb698fac343db230161a1" and "b13ead0657b1693a67f4175e247be10195508412" have entirely different histories.
df26b6c17e
...
b13ead0657
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,7 @@
|
|||||||
#!/usr/sbin/nft -f
|
#!/usr/sbin/nft -f
|
||||||
|
|
||||||
define ABUSEIPDB_IPV6 = {
|
define ABUSEIPDB_IPV6 = {
|
||||||
fe80::bca2:37fa:fe58:414e
|
2400:6180:0:d1::4ce:d001,
|
||||||
|
2607:5300:60:232d::,
|
||||||
|
2607:f298:6:a066::1bf:e80e,
|
||||||
}
|
}
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@ -3,4 +3,7 @@
|
|||||||
<option name="family" value="inet6" />
|
<option name="family" value="inet6" />
|
||||||
<short>abusers-ipv6</short>
|
<short>abusers-ipv6</short>
|
||||||
<description>A list of abusive IPv6 addresses.</description>
|
<description>A list of abusive IPv6 addresses.</description>
|
||||||
|
<entry>2400:6180:0:d1::4ce:d001</entry>
|
||||||
|
<entry>2607:5300:60:232d::</entry>
|
||||||
|
<entry>2607:f298:6:a066::1bf:e80e</entry>
|
||||||
</ipset>
|
</ipset>
|
||||||
|
|||||||
@ -10,14 +10,11 @@
|
|||||||
- name: restart firewalld
|
- name: restart firewalld
|
||||||
systemd: name=firewalld state=restarted
|
systemd: name=firewalld state=restarted
|
||||||
|
|
||||||
|
- name: restart fail2ban
|
||||||
|
systemd: name=fail2ban state=restarted
|
||||||
|
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
systemd: daemon_reload=yes
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
- name: restart nftables
|
- name: restart nftables
|
||||||
systemd: name=nftables state=restarted
|
systemd: name=nftables state=restarted
|
||||||
|
|
||||||
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
|
|
||||||
# in the order they are defined, not in the order they are listed in the task's
|
|
||||||
# notify statement and we must restart fail2ban after updating the firewall.
|
|
||||||
- name: restart fail2ban
|
|
||||||
systemd: name=fail2ban state=restarted
|
|
||||||
|
|||||||
@ -34,7 +34,6 @@
|
|||||||
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
||||||
notify:
|
notify:
|
||||||
- restart nftables
|
- restart nftables
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Create /etc/nftables extra config directory
|
- name: Create /etc/nftables extra config directory
|
||||||
when: ansible_distribution_major_version is version('11', '>=')
|
when: ansible_distribution_major_version is version('11', '>=')
|
||||||
@ -51,7 +50,6 @@
|
|||||||
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
||||||
notify:
|
notify:
|
||||||
- restart nftables
|
- restart nftables
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Use iptables backend in firewalld
|
- name: Use iptables backend in firewalld
|
||||||
when: ansible_distribution_major_version is version('10', '==')
|
when: ansible_distribution_major_version is version('10', '==')
|
||||||
@ -61,7 +59,6 @@
|
|||||||
line: 'FirewallBackend=iptables'
|
line: 'FirewallBackend=iptables'
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
|
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
|
||||||
# backend. Using individual calls seems to work around it.
|
# backend. Using individual calls seems to work around it.
|
||||||
@ -74,7 +71,6 @@
|
|||||||
line: 'IndividualCalls=yes'
|
line: 'IndividualCalls=yes'
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Copy firewalld public zone file
|
- name: Copy firewalld public zone file
|
||||||
when: ansible_distribution_major_version is version('10', '<=')
|
when: ansible_distribution_major_version is version('10', '<=')
|
||||||
@ -85,7 +81,6 @@
|
|||||||
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Copy firewalld ipsets of abusive IPs
|
- name: Copy firewalld ipsets of abusive IPs
|
||||||
when: ansible_distribution_major_version is version('10', '<=')
|
when: ansible_distribution_major_version is version('10', '<=')
|
||||||
@ -97,7 +92,6 @@
|
|||||||
- spamhaus-ipv6.xml
|
- spamhaus-ipv6.xml
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Copy Spamhaus firewalld update script
|
- name: Copy Spamhaus firewalld update script
|
||||||
when: ansible_distribution_version is version('10', '<=')
|
when: ansible_distribution_version is version('10', '<=')
|
||||||
@ -140,7 +134,6 @@
|
|||||||
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Start and enable nftables update timers
|
- name: Start and enable nftables update timers
|
||||||
when: ansible_distribution_version is version('11', '>=')
|
when: ansible_distribution_version is version('11', '>=')
|
||||||
|
|||||||
@ -35,7 +35,6 @@
|
|||||||
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
||||||
notify:
|
notify:
|
||||||
- restart nftables
|
- restart nftables
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Create /etc/nftables extra config directory
|
- name: Create /etc/nftables extra config directory
|
||||||
when: ansible_distribution_version is version('20.04', '>=')
|
when: ansible_distribution_version is version('20.04', '>=')
|
||||||
@ -52,7 +51,6 @@
|
|||||||
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
||||||
notify:
|
notify:
|
||||||
- restart nftables
|
- restart nftables
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Copy firewalld public zone file
|
- name: Copy firewalld public zone file
|
||||||
when: ansible_distribution_version is version('18.04', '<=')
|
when: ansible_distribution_version is version('18.04', '<=')
|
||||||
@ -63,7 +61,6 @@
|
|||||||
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Copy firewalld ipsets of abusive IPs
|
- name: Copy firewalld ipsets of abusive IPs
|
||||||
when: ansible_distribution_version is version('18.04', '<=')
|
when: ansible_distribution_version is version('18.04', '<=')
|
||||||
@ -75,7 +72,6 @@
|
|||||||
- spamhaus-ipv6.xml
|
- spamhaus-ipv6.xml
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Copy Spamhaus firewalld update script
|
- name: Copy Spamhaus firewalld update script
|
||||||
when: ansible_distribution_version is version('18.04', '<=')
|
when: ansible_distribution_version is version('18.04', '<=')
|
||||||
@ -118,7 +114,6 @@
|
|||||||
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
- restart fail2ban
|
|
||||||
|
|
||||||
- name: Start and enable nftables update timers
|
- name: Start and enable nftables update timers
|
||||||
when: ansible_distribution_version is version('20.04', '>=')
|
when: ansible_distribution_version is version('20.04', '>=')
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user