Alan Orth
d7c34a30a3
This configures the recommended DROP, EDROP, and DROPv6 lists from Spamhaus as ipsets in firewalld. First we copy an empty placeholder ipset to seed firewalld, then we use a shell script to download the real lists and activate them. The same shell script is run daily as a service (update-spamhaus-lists.service) by a systemd timer. I am strictly avoiding any direct ipset commands here because I want to make sure that this works on older hosts where ipsets is used as well as newer hosts that have moved to nftables such as Ubuntu 20.04. So far I have tested this on Ubuntu 16.04, 18.04, and 20.04, but ev- entually I need to abstract the tasks and run them on CentOS 7+ as well. See: https://www.spamhaus.org/drop/
91 lines
3.1 KiB
YAML
91 lines
3.1 KiB
YAML
---
|
|
|
|
- block:
|
|
- name: Set Ubuntu firewall packages
|
|
set_fact:
|
|
ubuntu_firewall_packages:
|
|
- firewalld
|
|
- tidy
|
|
- fail2ban
|
|
- python3-systemd # for fail2ban systemd backend
|
|
|
|
- name: Install firewalld and deps
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
apt: pkg={{ ubuntu_firewall_packages }} state=present
|
|
|
|
- name: Remove ufw
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
apt: pkg=ufw state=absent
|
|
|
|
# I'm not sure why, but you can use firewalld with the nftables backend even
|
|
# if nftables itself is not installed. In that case the only way to see the
|
|
# currently active rules is with firewall-cmd. I prefer installing nftables
|
|
# so that we can have somewhat of a parallel with iptables:
|
|
#
|
|
# nft list ruleset
|
|
#
|
|
# See: https://firewalld.org/2018/07/nftables-backend
|
|
- name: Install nftables
|
|
when: ansible_distribution_version is version('20.04', '==')
|
|
apt: pkg=nftables state=present
|
|
|
|
- name: Use nftables backend in firewalld
|
|
when: ansible_distribution_version is version('20.04', '==')
|
|
lineinfile:
|
|
dest: /etc/firewalld/firewalld.conf
|
|
regexp: '^FirewallBackend=iptables$'
|
|
line: 'FirewallBackend=nftables'
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy firewalld public zone file
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
|
|
|
|
- name: Format public.xml firewalld zone file
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy ipsets of abusive IPs
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
|
|
loop:
|
|
- abusers-ipv4.xml
|
|
- abusers-ipv6.xml
|
|
- spamhaus-ipv4.xml
|
|
- spamhaus-ipv6.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy Spamhaus update script
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
|
|
|
|
- name: Copy Spamhaus systemd units
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
|
|
loop:
|
|
- update-spamhaus-lists.service
|
|
- update-spamhaus-lists.timer
|
|
register: spamhaus_systemd_units
|
|
|
|
# need to reload to pick up service/timer/environment changes
|
|
- name: Reload systemd daemon
|
|
systemd: daemon_reload=yes
|
|
when: spamhaus_systemd_units is changed
|
|
|
|
- name: Start and enable Spamhaus update timer
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
|
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- include_tasks: fail2ban.yml
|
|
when: ansible_distribution_version is version('16.04', '>=')
|
|
tags: firewall
|
|
|
|
# vim: set sw=2 ts=2:
|