summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-01-23 04:29:12 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-01-23 05:57:01 +0100
commit7641a5d5d152db349082b1d0ec93a40888b2ef8e (patch)
tree3f80c14c0e50b187a6698346cf8cffb9c5200154 /roles/common/tasks
parent456e09fa40d01b70ac1788d0338fba00079e4121 (diff)
Convert firewall to nftables.
Debian Buster uses the nftables framework by default.
Diffstat (limited to 'roles/common/tasks')
-rw-r--r--roles/common/tasks/firewall.yml48
-rw-r--r--roles/common/tasks/main.yml1
-rw-r--r--roles/common/tasks/sysctl.yml2
3 files changed, 19 insertions, 32 deletions
diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml
index 133b631..fd1ad92 100644
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@@ -1,41 +1,27 @@
-- name: Install some packages required for the firewall
- apt: pkg={{ packages }}
- vars:
- packages:
- - iptables
- - netmask
- - bsdutils
+- name: Install nftables
+ apt: pkg=nftables
-- name: Create directory /etc/iptables
- file: path=/etc/iptables
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Generate /etc/iptables/services
- template: src=etc/iptables/services.j2
- dest=/etc/iptables/services
- owner=root group=root
- mode=0600
-
-- name: Copy /usr/local/sbin/update-firewall.sh
- copy: src=usr/local/sbin/update-firewall.sh
- dest=/usr/local/sbin/update-firewall.sh
+- name: Copy /usr/local/sbin/update-firewall
+ copy: src=usr/local/sbin/update-firewall
+ dest=/usr/local/sbin/update-firewall
owner=root group=staff
mode=0755
-- name: Make the rulesets persistent
- copy: src=etc/network/{{ item }}
- dest=/etc/network/{{ item }}
- owner=root group=root
- mode=0755
- with_items:
- - if-pre-up.d/iptables
- - if-post-down.d/iptables
+- name: Copy /etc/nftables.conf
+ template: src=etc/nftables.conf.j2
+ dest=/etc/nftables.conf
+ owner=root group=root
+ mode=0644
- name: Ensure the firewall is up to date
- command: /usr/local/sbin/update-firewall.sh -c
+ command: /usr/local/sbin/update-firewall -c
register: rv
# A non-zero return value will make ansible stop and show stderr. This
# is what we want.
changed_when: rv.rc
+
+- name: Enable nftables.service
+ service: name=nftables enabled=yes
+
+- name: Start nftables.service
+ service: name=nftables state=started
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 7fa7b20..02a745c 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -12,6 +12,7 @@
tags:
- firewall
- iptables
+ - nftables
- import_tasks: stunnel.yml
tags: stunnel
diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml
index ffda544..3bf3b4f 100644
--- a/roles/common/tasks/sysctl.yml
+++ b/roles/common/tasks/sysctl.yml
@@ -18,7 +18,7 @@
- { name: 'net.ipv4.icmp_ratemask', value: 6425 }
- { name: 'net.ipv4.icmp_ratelimit', value: 1000 }
- # Disable paquet forwarding between interfaces (we are not a router).
+ # Disable packet forwarding between interfaces (we are not a router).
- { name: 'net.ipv4.ip_forward', value: 0 }
- { name: 'net.ipv6.conf.all.forwarding', value: 0 }