3 files changed, 19 insertions, 32 deletions

diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml
index 133b631..fd1ad92 100644
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@@ -1,41 +1,27 @@
-- name: Install some packages required for the firewall
-  apt: pkg={{ packages }}
-  vars:
-    packages:
-    - iptables
-    - netmask
-    - bsdutils
+- name: Install nftables
+  apt: pkg=nftables
 
-- name: Create directory /etc/iptables
-  file: path=/etc/iptables
-        state=directory
-        owner=root group=root
-        mode=0755
-
-- name: Generate /etc/iptables/services
-  template: src=etc/iptables/services.j2
-            dest=/etc/iptables/services
-            owner=root group=root
-            mode=0600
-
-- name: Copy /usr/local/sbin/update-firewall.sh
-  copy: src=usr/local/sbin/update-firewall.sh
-        dest=/usr/local/sbin/update-firewall.sh
+- name: Copy /usr/local/sbin/update-firewall
+  copy: src=usr/local/sbin/update-firewall
+        dest=/usr/local/sbin/update-firewall
         owner=root group=staff
         mode=0755
 
-- name: Make the rulesets persistent
-  copy: src=etc/network/{{ item }}
-        dest=/etc/network/{{ item }}
-        owner=root group=root
-        mode=0755
-  with_items:
-    - if-pre-up.d/iptables
-    - if-post-down.d/iptables
+- name: Copy /etc/nftables.conf
+  template: src=etc/nftables.conf.j2
+            dest=/etc/nftables.conf
+            owner=root group=root
+            mode=0644
 
 - name: Ensure the firewall is up to date
-  command: /usr/local/sbin/update-firewall.sh -c
+  command: /usr/local/sbin/update-firewall -c
   register: rv
   # A non-zero return value will make ansible stop and show stderr. This
   # is what we want.
   changed_when: rv.rc
+
+- name: Enable nftables.service
+  service: name=nftables enabled=yes
+
+- name: Start nftables.service
+  service: name=nftables state=started
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 7fa7b20..02a745c 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,34 +1,35 @@
 ---
 - import_tasks: sysctl.yml
   tags: sysctl
 - import_tasks: hosts.yml
 - import_tasks: apt.yml
   tags: apt
 - name: Install intel-microcode
   apt: pkg=intel-microcode
   when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
   tags: intel
 - import_tasks: firewall.yml
   tags:
     - firewall
     - iptables
+    - nftables
 
 - import_tasks: stunnel.yml
   tags: stunnel
   when: "'webmail' in group_names and 'LDAP-provider' not in group_names"
 - import_tasks: auditd.yml
   tags: auditd
 - import_tasks: unbound.yml
   tags:
     - unbound
     - dns
   when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
 - import_tasks: rkhunter.yml
   tags: rkhunter
 - import_tasks: clamav.yml
   tags: clamav
 - import_tasks: fail2ban.yml
   tags: fail2ban
 - import_tasks: smart.yml
   tags:
     - smartmontools
diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml
index ffda544..3bf3b4f 100644
--- a/roles/common/tasks/sysctl.yml
+++ b/roles/common/tasks/sysctl.yml
@@ -1,41 +1,41 @@
 - sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
   with_items:
     - { name: 'kernel.domainname', value: '{{ ansible_domain }}' }
 
       # Networking. See
       # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
 
       # Enable Spoof protection (reverse-path filter). Turn on Source
       # Address Verification in all interfaces to prevent some spoofing
       # attacks.
     - { name: 'net.ipv4.conf.default.rp_filter', value: 1 }
     - { name: 'net.ipv4.conf.all.rp_filter',     value: 1 }
 
       # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We
       # rate-limit not only the default ICMP types 3, 4, 11 and 12
       # (0x1818), but also types 0 and 8. See icmp(7).
     - { name: 'net.ipv4.tcp_syncookies',  value: 1 }
     - { name: 'net.ipv4.icmp_ratemask',   value: 6425 }
     - { name: 'net.ipv4.icmp_ratelimit',  value: 1000 }
 
-      # Disable paquet forwarding between interfaces (we are not a router).
+      # Disable packet forwarding between interfaces (we are not a router).
     - { name: 'net.ipv4.ip_forward',          value: 0 }
     - { name: 'net.ipv6.conf.all.forwarding', value: 0 }
 
       # Do not accept ICMP redirects (prevent MITM attacks).
     - { name: 'net.ipv4.conf.all.accept_redirects', value: 0 }
     - { name: 'net.ipv6.conf.all.accept_redirects', value: 0 }
 
       # Do not send ICMP redirects (we are not a router).
     - { name: 'net.ipv4.conf.default.send_redirects', value:  0 }
     - { name: 'net.ipv4.conf.all.send_redirects',     value:  0 }
 
       # Do not accept IP source route packets (we are not a router).
     - { name: 'net.ipv4.conf.all.accept_source_route', value:  0 }
     - { name: 'net.ipv6.conf.all.accept_source_route', value:  0 }
 
       # Log Martian Packets.
     - { name: 'net.ipv4.conf.all.log_martians', value: 1 }
 
       # Ignore ICMP broadcasts.
     - { name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: 1 }