From 0c935a85452b57441e9fcc099093901fa9fe953a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= Date: Tue, 3 Nov 2020 14:38:14 +0000 Subject: [PATCH] firewall: add role to configure ufw firewall MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Luís Ferreira --- roles/firewall/defaults/main.yml | 3 ++ roles/firewall/tasks/main.yml | 43 ++++++++++++++++++ roles/firewall/templates/sysctl.conf.j2 | 58 +++++++++++++++++++++++++ 3 files changed, 104 insertions(+) create mode 100644 roles/firewall/defaults/main.yml create mode 100644 roles/firewall/tasks/main.yml create mode 100644 roles/firewall/templates/sysctl.conf.j2 diff --git a/roles/firewall/defaults/main.yml b/roles/firewall/defaults/main.yml new file mode 100644 index 0000000..429b634 --- /dev/null +++ b/roles/firewall/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +firewall_forward_packets: false diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..e5b95cf --- /dev/null +++ b/roles/firewall/tasks/main.yml @@ -0,0 +1,43 @@ +--- + +- name: Install 'ufw' + pacman: name=ufw state=present + +- name: Install 'ufw-extras' + pacman: name=ufw-extras state=present + +- name: Allow ssh connections + ufw: + rule: allow + port: ssh + proto: tcp + +- name: add sysctl configuration + template: + dest: /etc/ufw/sysctl.conf + src: sysctl.conf.j2 + +- name: Enable UFW + ufw: + state: enabled + +- name: Set deny default policy + ufw: + policy: deny + +- name: Set allow default policy for forwarding + lineinfile: + path: /etc/default/ufw + regexp: '^DEFAULT_FORWARD_POLICY=' + line: DEFAULT_FORWARD_POLICY="ACCEPT" + when: firewall_forward_packets == true + +- name: Set logging + ufw: + logging: 'on' + +- name: enable and start ufw service + systemd: + name: ufw + state: restarted + enabled: yes diff --git a/roles/firewall/templates/sysctl.conf.j2 b/roles/firewall/templates/sysctl.conf.j2 new file mode 100644 index 0000000..c39899c --- /dev/null +++ b/roles/firewall/templates/sysctl.conf.j2 @@ -0,0 +1,58 @@ +# +# Configuration file for setting network variables. Please note these settings +# override /etc/sysctl.conf. If you prefer to use /etc/sysctl.conf, please +# adjust IPT_SYSCTL in /etc/default/ufw. +# + +{% if firewall_forward_packets %} +net/ipv4/ip_forward=1 +net/ipv6/conf/default/forwarding=1 +net/ipv6/conf/all/forwarding=1 +{% endif %} + +# Turn on Source Address Verification in all interfaces to prevent some +# spoofing attacks +net/ipv4/conf/default/rp_filter=1 +net/ipv4/conf/all/rp_filter=1 + +# Do not accept IP source route packets (we are not a router) +net/ipv4/conf/default/accept_source_route=0 +net/ipv4/conf/all/accept_source_route=0 +net/ipv6/conf/default/accept_source_route=0 +net/ipv6/conf/all/accept_source_route=0 + +# Disable ICMP redirects. ICMP redirects are rarely used but can be used in +# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate +# traffic to those sites. +net/ipv4/conf/default/accept_redirects=0 +net/ipv4/conf/all/accept_redirects=0 +net/ipv6/conf/default/accept_redirects=0 +net/ipv6/conf/all/accept_redirects=0 + +# Ignore bogus ICMP errors +net/ipv4/icmp_echo_ignore_broadcasts=1 +net/ipv4/icmp_ignore_bogus_error_responses=1 +net/ipv4/icmp_echo_ignore_all=0 + +# Don't log Martian Packets (impossible packets) +net/ipv4/conf/default/log_martians=0 +net/ipv4/conf/all/log_martians=0 + +# Change to '0' to disable TCP/IP SYN cookies. A value of '1' disables TCP +# Window Scaling (http://lkml.org/lkml/2008/2/5/167). +#net/ipv4/tcp_syncookies=1 + +#net/ipv4/tcp_fin_timeout=30 +#net/ipv4/tcp_keepalive_intvl=1800 + +# normally allowing tcp_sack is ok, but if going through OpenBSD 3.8 RELEASE or +# earlier pf firewall, should set this to 0 +net/ipv4/tcp_sack=1 + +# Uncomment this to turn off ipv6 autoconfiguration +#net/ipv6/conf/default/autoconf=0 +#net/ipv6/conf/all/autoconf=0 + +# Uncomment this to enable ipv6 privacy addressing +#net/ipv6/conf/default/use_tempaddr=2 +#net/ipv6/conf/all/use_tempaddr=2