From 9887997d6acdef939faa3dcecfd518c6e52d5152 Mon Sep 17 00:00:00 2001 From: VC Date: Tue, 1 Apr 2025 15:50:01 +0200 Subject: [PATCH] pending changes --- inventory/static.yml | 1 + playbooks/global_smtprelay.yml | 1 - playbooks/site.yml | 2 ++ playbooks/ufw.yml | 6 ++++ roles/firewall/templates/firewall.j2 | 47 ++++++++++++++++++++++++++++ roles/ufw/tasks/main.yml | 5 +++ 6 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 playbooks/ufw.yml diff --git a/inventory/static.yml b/inventory/static.yml index 1faf0b1..fea06a9 100644 --- a/inventory/static.yml +++ b/inventory/static.yml @@ -25,6 +25,7 @@ physicalservers: hosts: frederica: serenor: + ks3370405: webservers: hosts: diff --git a/playbooks/global_smtprelay.yml b/playbooks/global_smtprelay.yml index 9a3af34..908e5af 100644 --- a/playbooks/global_smtprelay.yml +++ b/playbooks/global_smtprelay.yml @@ -3,5 +3,4 @@ - name: Install & configure the global SMTP relay hosts: ks3370405 roles: - - ufw - global_smtp_relay diff --git a/playbooks/site.yml b/playbooks/site.yml index 3f6693c..6829e2b 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -20,6 +20,8 @@ import_playbook: mail.yml - name: Run global_smtprelay playbook import_playbook: global_smtprelay.yml +- name: Run ufw plabook + import_playbook: ufw.yml - name: Run xmpp playbook import_playbook: xmpp.yml - name: Run webservers playbook diff --git a/playbooks/ufw.yml b/playbooks/ufw.yml new file mode 100644 index 0000000..e31b48b --- /dev/null +++ b/playbooks/ufw.yml @@ -0,0 +1,6 @@ +--- + +- name: Install & configure UFW + hosts: ks3370405 + roles: + - ufw diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2 index 850e1a0..b2bc3f7 100644 --- a/roles/firewall/templates/firewall.j2 +++ b/roles/firewall/templates/firewall.j2 @@ -350,6 +350,53 @@ config redirect option dest_port '64738' option target 'DNAT' +# Allow DNS traffic +config rule + option name 'Allow-INPUT-DNS' + option src 'wan' + list proto 'tcp' + list proto 'udp' + option dest 'dmz' + option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}' + option dest_port '53' + option target 'ACCEPT' + option family 'ipv6' + +config redirect + option name 'Allow-INPUT-DNS' + option src 'wan' + option src_dport '53' + list proto 'tcp' + list proto 'udp' + option dest 'dmz' + option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}' + option dest_port '53' + option target 'DNAT' + +config rule + option name 'Allow-OUTPUT-DNS' + option src 'dmz' + option src_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}' + list proto 'tcp' + list proto 'udp' + option dest 'wan' + option dest_port '53' + option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv4.address }}' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-OUTPUT-DNS' + option src 'dmz' + option src_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}' + list proto 'tcp' + list proto 'udp' + option dest 'wan' + option dest_port '53' + option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv6.address }}' + option target 'ACCEPT' + option family 'ipv6' + # Allow mail traffic config rule option name 'Allow-OUTPUT-SMTP' diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml index a3bb8f2..fd8f6db 100644 --- a/roles/ufw/tasks/main.yml +++ b/roles/ufw/tasks/main.yml @@ -34,6 +34,11 @@ src: "{{ item }}" loop: "{{ ufw_allowed_smtp_ips }}" +- name: Allow incoming DNS + community.general.ufw: + rule: allow + port: domain + - name: Set logging community.general.ufw: logging: "on"