ansible-personal/roles/common/tasks/firewall_Ubuntu.yml
2020-07-27 14:23:58 +03:00

65 lines
2.1 KiB
YAML

---
- block:
- name: Set Ubuntu firewall packages
set_fact:
ubuntu_firewall_packages:
- firewalld
- tidy
- fail2ban
- python3-systemd # for fail2ban systemd backend
- name: Install firewalld and deps
when: ansible_distribution_version is version('16.04', '>=')
apt: pkg={{ ubuntu_firewall_packages }} state=present
- name: Remove ufw
when: ansible_distribution_version is version('16.04', '>=')
apt: pkg=ufw state=absent
# I'm not sure why, but you can use firewalld with the nftables backend even
# if nftables itself is not installed. In that case the only way to see the
# currently active rules is with firewall-cmd. I prefer installing nftables
# so that we can have somewhat of a parallel with iptables:
#
# nft list ruleset
#
# See: https://firewalld.org/2018/07/nftables-backend
- name: Install nftables
when: ansible_distribution_version is version('20.04', '==')
apt: pkg=nftables state=present
- name: Use nftables backend in firewalld
when: ansible_distribution_version is version('20.04', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=iptables$'
line: 'FirewallBackend=nftables'
notify:
- restart firewalld
- name: Copy firewalld public zone file
when: ansible_distribution_version is version('16.04', '>=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_version is version('16.04', '>=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy ipsets of abusive IPs
when: ansible_distribution_version is version('16.04', '>=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
notify:
- restart firewalld
- include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=')
tags: firewall
# vim: set sw=2 ts=2: