From df3f3463afec460364ac544e9889668ab3b469a1 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Wed, 7 Jul 2021 17:23:56 -0400 Subject: [PATCH] public_facing: Support defining a src port for UFW rules Signed-off-by: David Galloway --- roles/public_facing/README.rst | 3 ++- roles/public_facing/tasks/ufw.yml | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/public_facing/README.rst b/roles/public_facing/README.rst index 186bfc9..77cf49f 100644 --- a/roles/public_facing/README.rst +++ b/roles/public_facing/README.rst @@ -54,12 +54,13 @@ host_vars --------- If required, define these in your ansible inventory ``host_vars`` file. -``ufw_allowed_ports: []`` should be a list of ports you want UFW to allow traffic through. Port numbers must be double-quoted due to the way the task processes stdout of ``ufw status``. Example:: +``ufw_allowed_ports: []`` should be a list of ports you want UFW to allow traffic through. You may optionally defined a ``source_ip`` by adding ``:1.2.3.4`` after the port. List items must be double-quoted due to the way the task processes stdout of ``ufw status``. Example:: ufw_allowed_ports: - "22" - "80" - "443" + - "3306:1.2.3.4" ``f2b_filters: {}`` is a dictionary of additional filters fail2ban should use. For example, our status portal running Cachet has an additional fail2ban service monitoring repeated login attempts to the admin portal. ``maxlines`` is an optional variable. See filter example:: diff --git a/roles/public_facing/tasks/ufw.yml b/roles/public_facing/tasks/ufw.yml index 67f2212..d902072 100644 --- a/roles/public_facing/tasks/ufw.yml +++ b/roles/public_facing/tasks/ufw.yml @@ -24,7 +24,7 @@ # Instead of deleting all rules and re-opening ports with each playbook run, # we'll compare a list of ports we specify should be open with a list of currently open ports. - name: Get list of currently allowed ports - shell: ufw status | grep 'ALLOW' | grep -v v6 | grep -o '[0-9]*' + shell: ufw status | grep 'ALLOW' | grep -v v6 | awk '{ print $1 }' register: ufw_current_allowed_raw # Don't fail if we don't get any output failed_when: false @@ -47,7 +47,8 @@ - name: Enable any ports we're missing ufw: rule: allow - port: "{{ item }}" + port: "{% if ':' in item %}{% set port_and_src = item.split(':') %}{{ port_and_src[0] }}{% else %}{{ item }}{% endif %}" + from_ip: "{% if ':' in item %}{% set port_and_src = item.split(':') %}{{ port_and_src[1] }}{% else %}any{% endif %}" with_items: "{{ ufw_ports_to_enable }}" # ufw_allowed_ports are excluded from the default policy -- 2.39.5