Alan Orth
2631f76c6d
For some reason the nftables set support in firewalld doesn't seem to be working. I see that sets (aka ipsets in nftables lingo) are created, but they are empty. For now I will just leave these tasks as they are to revert the behavior on current hosts (should do no change on new installed, as the regexp won't match).
61 lines
2.0 KiB
YAML
61 lines
2.0 KiB
YAML
---
|
|
|
|
- block:
|
|
- name: Set Debian firewall packages
|
|
set_fact:
|
|
debian_firewall_packages:
|
|
- firewalld
|
|
- tidy
|
|
- fail2ban
|
|
- python3-systemd # for fail2ban systemd backend
|
|
|
|
- name: Install firewalld and deps
|
|
when: ansible_distribution_major_version is version_compare('9', '>=')
|
|
apt: pkg={{ debian_firewall_packages }} state=present
|
|
|
|
- name: Use iptables backend in firewalld
|
|
when: ansible_distribution_major_version is version_compare('10', '>=')
|
|
lineinfile:
|
|
dest: /etc/firewalld/firewalld.conf
|
|
regexp: '^FirewallBackend=nftables$'
|
|
line: 'FirewallBackend=iptables'
|
|
notify:
|
|
- restart firewalld
|
|
|
|
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
|
|
# backend. Using individual calls seems to work around it.
|
|
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
|
|
- name: Use individual iptables calls
|
|
when: ansible_distribution_major_version is version_compare('10', '>=')
|
|
lineinfile:
|
|
dest: /etc/firewalld/firewalld.conf
|
|
regexp: '^IndividualCalls=yes$'
|
|
line: 'IndividualCalls=no'
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy firewalld public zone file
|
|
when: ansible_distribution_major_version is version_compare('9', '>=')
|
|
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
|
|
|
|
- name: Format public.xml firewalld zone file
|
|
when: ansible_distribution_major_version is version_compare('9', '>=')
|
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- name: Copy ipsets of abusive IPs
|
|
when: ansible_distribution_major_version is version_compare('9', '>=')
|
|
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
|
|
loop:
|
|
- abusers-ipv4.xml
|
|
- abusers-ipv6.xml
|
|
notify:
|
|
- restart firewalld
|
|
|
|
- include_tasks: fail2ban.yml
|
|
when: ansible_distribution_major_version is version_compare('9', '>=')
|
|
tags: firewall
|
|
|
|
# vim: set sw=2 ts=2:
|