diff options
| author |  Johannes Christ <[email protected]> | 2024-04-29 19:41:08 +0200 |
|---|---|---|
| committer | jchristgit <[email protected]> | 2024-04-29 19:51:49 +0200 |
| commit | cd39357d718a483a25de6048397608459d0c32fe (patch) | |
| tree | 31514be60f46d0fc016700ee85653abbda6636f8 /ansible/roles | |
| parent | Updated postgres config from PGTune (diff) | |
Use nftables for firewalling
nftables is the modern replacement for iptables, which ufw uses under
the hood. It allows us to specify firewall rules in a simple text file
(with as much or as little abstraction as we want) and is quick to
update and read. The text-file format allows more liberty with
commenting compared to UFW. The existing `ufw` role has been converted
to simply remove UFW. This has already been deployed on lovelace.
Diffstat (limited to 'ansible/roles')
| m--------- | ansible/roles/nftables | 0 | ||||
| -rw-r--r-- | ansible/roles/ufw/tasks/main.yml | 44 | ||||
| -rw-r--r-- | ansible/roles/ufw/vars/main.yml | 6 |
3 files changed, 12 insertions, 38 deletions
diff --git a/ansible/roles/nftables b/ansible/roles/nftables new file mode 160000 +Subproject 8fbc92fa7effee6e7ce9e04b5a15b1af12b93f8 diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml index 89e25d9..e44d173 100644 --- a/ansible/roles/ufw/tasks/main.yml +++ b/ansible/roles/ufw/tasks/main.yml @@ -1,37 +1,17 @@ -- name: Install UFW - apt: - update_cache: true - cache_valid_time: 3600 - pkg: - - ufw - tags: - - role::ufw - -- name: Allow OpenSSH - community.general.ufw: - rule: allow - name: OpenSSH - tags: - - role::ufw - -- name: Enable UFW and deny all traffic by default +- name: Disable UFW # noqa community.general.ufw: - state: enabled - policy: deny + state: disabled tags: - role::ufw + ignore_errors: true # subsequent deploys -- name: Allow WireGuard - community.general.ufw: - rule: allow - proto: udp - port: "{{ wireguard_port }}" - comment: "Allow WireGuard" - tags: - - role::ufw +- name: Uninstall UFW + apt: + name: ufw + state: absent + purge: true -- name: Apply service-specific rules - community.general.ufw: "{{ item }}" - with_items: "{{ ufw_rules }}" - tags: - - role::ufw +- name: Purge UFW files + file: + path: /etc/ufw + state: absent diff --git a/ansible/roles/ufw/vars/main.yml b/ansible/roles/ufw/vars/main.yml deleted file mode 100644 index 3c342ec..0000000 --- a/ansible/roles/ufw/vars/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -ufw_rules: - - comment: Allow internal traffic - interface: wg0 - direction: in - rule: allow - from_ip: 10.0.0.0/8 |