---------
If required, define these in your ansible inventory ``host_vars`` file.
-``ufw_allowed_ports: []`` should be a list of ports you want UFW to allow traffic through. Port numbers must be double-quoted due to the way the task processes stdout of ``ufw status``. Example::
+``ufw_allowed_ports: []`` should be a list of ports you want UFW to allow traffic through. You may optionally defined a ``source_ip`` by adding ``:1.2.3.4`` after the port. List items must be double-quoted due to the way the task processes stdout of ``ufw status``. Example::
ufw_allowed_ports:
- "22"
- "80"
- "443"
+ - "3306:1.2.3.4"
``f2b_filters: {}`` is a dictionary of additional filters fail2ban should use. For example, our status portal running Cachet has an additional fail2ban service monitoring repeated login attempts to the admin portal. ``maxlines`` is an optional variable. See filter example::
# Instead of deleting all rules and re-opening ports with each playbook run,
# we'll compare a list of ports we specify should be open with a list of currently open ports.
- name: Get list of currently allowed ports
- shell: ufw status | grep 'ALLOW' | grep -v v6 | grep -o '[0-9]*'
+ shell: ufw status | grep 'ALLOW' | grep -v v6 | awk '{ print $1 }'
register: ufw_current_allowed_raw
# Don't fail if we don't get any output
failed_when: false
- name: Enable any ports we're missing
ufw:
rule: allow
- port: "{{ item }}"
+ port: "{% if ':' in item %}{% set port_and_src = item.split(':') %}{{ port_and_src[0] }}{% else %}{{ item }}{% endif %}"
+ from_ip: "{% if ':' in item %}{% set port_and_src = item.split(':') %}{{ port_and_src[1] }}{% else %}any{% endif %}"
with_items: "{{ ufw_ports_to_enable }}"
# ufw_allowed_ports are excluded from the default policy
projects / ceph-cm-ansible.git / commitdiff