ansible-personal/roles/common/tasks/firewall_Debian.yml
Alan Orth a67d901641
roles/common: Use AbuseIPDB.com list in nftables
For now I am still manually updating this, as we can only hit their
API five times per day, so it is not possible to have each host get
the list themselves every day with our one API key.
2021-07-31 21:46:50 +03:00

149 lines
5.3 KiB
YAML

---
# Debian 11 will use nftables directly, with no firewalld.
- block:
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('10', '<=')
set_fact:
debian_firewall_packages:
- firewalld
- tidy
- fail2ban
- python3-systemd # for fail2ban systemd backend
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=')
set_fact:
debian_firewall_packages:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- python3-systemd
- curl # for nftables update scripts
- name: Install firewall packages
apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
- name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- reload nftables
- name: Create /etc/nftables extra config directory
when: ansible_distribution_major_version is version('11', '>=')
file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files
when: ansible_distribution_major_version is version('11', '>=')
copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
loop:
- spamhaus-ipv4.nft
- spamhaus-ipv6.nft
- abusech-ipv4.nft
- abuseipdb-ipv4.nft
- abuseipdb-ipv6.nft
notify:
- reload nftables
- name: Use iptables backend in firewalld
when: ansible_distribution_major_version is version('10', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=nftables$'
line: 'FirewallBackend=iptables'
notify:
- restart firewalld
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
# backend. Using individual calls seems to work around it.
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
- name: Use individual iptables calls
when: ansible_distribution_major_version is version('10', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^IndividualCalls=no$'
line: 'IndividualCalls=yes'
notify:
- restart firewalld
- name: Copy firewalld public zone file
when: ansible_distribution_major_version is version('10', '<=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_major_version is version('10', '<=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_major_version is version('10', '<=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
- spamhaus-ipv4.xml
- spamhaus-ipv6.xml
notify:
- restart firewalld
- name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('10', '<=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('10', '<=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-lists.service
- update-spamhaus-lists.timer
register: spamhaus_firewalld_systemd_units
- name: Copy Spamhaus nftables update scripts
when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('10', '<=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify:
- restart firewalld
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=')
systemd: name={{ item }} state=started enabled=yes
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_major_version is version('11', '>=')
systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=')
tags: firewall
# vim: set sw=2 ts=2: