diff --git a/README.md b/README.md index 5413ce9..10688e9 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,38 @@ mx2_wg: public_key: endpoint: :21841 allowed_ips: 10.2.0.1/32 + +mx1_fw: + interfaces: + - name: vio0 + allowed_tcp: + - 22 # SSH + - 80 # HTTP + - 443 # HTTPS + - 25 # SMTP Relay + - 587 # SMTP Submission + - 465 # SMTPS Submission + - 143 # IMAP + - 993 # IMAPS + - 4190 # Sive + allowed_udp: + - 21841 # Wireguard + - name: wg0 + allowed_tcp: + - 22 # SSH +mx2_fw: + interfaces: + - name: vio0 + allowed_tcp: + - 22 # SSH + - 80 # HTTP + - 443 # HTTPS + - 25 # SMTP Relay + allowed_udp: + - 21841 # Wireguard + - name: wg0 + allowed_tcp: + - 22 # SSH ``` The hosts are taken from the `inventory.yml` file: @@ -95,6 +127,7 @@ Current ansible playbooks: - installs nano, curl and git - disables ssh password logins - adds ssh public key + - configures firewall - 02-ssl.yml - generates ssl certificates and adds a renew cron job - 03-mail.yml - installs and configures dovecot and opensmtpd - 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver diff --git a/ansible/01-initial_setup.yml b/ansible/01-initial_setup.yml index aa73256..1251b42 100644 --- a/ansible/01-initial_setup.yml +++ b/ansible/01-initial_setup.yml @@ -31,13 +31,26 @@ regexp: "^#?PasswordAuthentication" line: "PasswordAuthentication no" state: present + register: sshd_config - name: Restart SSH service to apply changes ansible.builtin.service: name: sshd state: restarted + when: sshd_config.changed - name: Add SSH public key to authorized_keys ansible.posix.authorized_key: user: root key: "{{ ssh_public_key }}" + + - name: Configure firewall + template: + src: "templates/pf.conf.j2" + dest: /etc/pf.conf + validate: pfctl -n -f %s + register: pf + + - name: Load config to pf if needed + command: pfctl -f /etc/pf.conf + when: pf.changed diff --git a/ansible/templates/pf.conf.j2 b/ansible/templates/pf.conf.j2 new file mode 100644 index 0000000..843454d --- /dev/null +++ b/ansible/templates/pf.conf.j2 @@ -0,0 +1,30 @@ +{% set _fw = lookup('vars', inventory_hostname + '_fw') %} +# {{ ansible_managed }} +# Skip filtering on the loopback interface +set skip on lo + +# set up a default deny policy +block all + +# Block remote X11 connections +block return in on ! lo0 proto tcp to port 6000:6010 + +# Port build user does not need network +block return out log proto {tcp udp} user _pbuild + +{% for interface in _fw.interfaces %} +# Pass rules for the specific ports on the {{ interface.name }} interface +{% if (interface.allowed_tcp is defined) and interface.allowed_tcp %} +{% for port in interface.allowed_tcp %} +pass in on {{ interface.name }} proto tcp from any to any port {{ port }} +{% endfor %} +{% endif %} +{% if (interface.allowed_udp is defined) and interface.allowed_udp %} +{% for port in interface.allowed_udp %} +pass in on {{ interface.name }} proto udp from any to any port {{ port }} +{% endfor %} +{% endif %} +pass in on {{ interface.name }} proto icmp +# Pass out rule to allow outgoing traffic on the {{ interface.name }} interface +pass out on {{ interface.name }} +{% endfor %}