firewall: add role to configure ufw firewall

Signed-off-by: Luís Ferreira <[email protected]>
ipleiria-labrob · Nov 3, 2020 · 0c935a8 · 0c935a8
1 parent 3aea027
commit 0c935a8
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 0 deletions.
diff --git a/roles/firewall/defaults/main.yml b/roles/firewall/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+firewall_forward_packets: false
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+
+- name: Install 'ufw'
+  pacman: name=ufw state=present
+
+- name: Install 'ufw-extras'
+  pacman: name=ufw-extras state=present
+
+- name: Allow ssh connections
+  ufw:
+    rule: allow
+    port: ssh
+    proto: tcp
+
+- name: add sysctl configuration
+  template:
+    dest: /etc/ufw/sysctl.conf
+    src: sysctl.conf.j2
+
+- name: Enable UFW
+  ufw:
+    state: enabled
+
+- name: Set deny default policy
+  ufw:
+    policy: deny
+
+- name: Set allow default policy for forwarding
+  lineinfile:
+    path: /etc/default/ufw
+    regexp: '^DEFAULT_FORWARD_POLICY='
+    line: DEFAULT_FORWARD_POLICY="ACCEPT"
+  when: firewall_forward_packets == true
+
+- name: Set logging
+  ufw:
+    logging: 'on'
+
+- name: enable and start ufw service
+  systemd:
+    name: ufw
+    state: restarted
+    enabled: yes
diff --git a/roles/firewall/templates/sysctl.conf.j2 b/roles/firewall/templates/sysctl.conf.j2
@@ -0,0 +1,58 @@
+#
+# Configuration file for setting network variables. Please note these settings
+# override /etc/sysctl.conf. If you prefer to use /etc/sysctl.conf, please
+# adjust IPT_SYSCTL in /etc/default/ufw.
+#
+
+{% if firewall_forward_packets %}
+net/ipv4/ip_forward=1
+net/ipv6/conf/default/forwarding=1
+net/ipv6/conf/all/forwarding=1
+{% endif %}
+
+# Turn on Source Address Verification in all interfaces to prevent some
+# spoofing attacks
+net/ipv4/conf/default/rp_filter=1
+net/ipv4/conf/all/rp_filter=1
+
+# Do not accept IP source route packets (we are not a router)
+net/ipv4/conf/default/accept_source_route=0
+net/ipv4/conf/all/accept_source_route=0
+net/ipv6/conf/default/accept_source_route=0
+net/ipv6/conf/all/accept_source_route=0
+
+# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
+# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
+# traffic to those sites.
+net/ipv4/conf/default/accept_redirects=0
+net/ipv4/conf/all/accept_redirects=0
+net/ipv6/conf/default/accept_redirects=0
+net/ipv6/conf/all/accept_redirects=0
+
+# Ignore bogus ICMP errors
+net/ipv4/icmp_echo_ignore_broadcasts=1
+net/ipv4/icmp_ignore_bogus_error_responses=1
+net/ipv4/icmp_echo_ignore_all=0
+
+# Don't log Martian Packets (impossible packets)
+net/ipv4/conf/default/log_martians=0
+net/ipv4/conf/all/log_martians=0
+
+# Change to '0' to disable TCP/IP SYN cookies. A value of '1' disables TCP
+# Window Scaling (http://lkml.org/lkml/2008/2/5/167).
+#net/ipv4/tcp_syncookies=1
+
+#net/ipv4/tcp_fin_timeout=30
+#net/ipv4/tcp_keepalive_intvl=1800
+
+# normally allowing tcp_sack is ok, but if going through OpenBSD 3.8 RELEASE or
+# earlier pf firewall, should set this to 0
+net/ipv4/tcp_sack=1
+
+# Uncomment this to turn off ipv6 autoconfiguration
+#net/ipv6/conf/default/autoconf=0
+#net/ipv6/conf/all/autoconf=0
+
+# Uncomment this to enable ipv6 privacy addressing
+#net/ipv6/conf/default/use_tempaddr=2
+#net/ipv6/conf/all/use_tempaddr=2