pk/mail-server
1
0
Fork 0
mirror of https://github.com/pikami/mail-server.git synced 2024-11-27 20:35:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Configure Firewall

Browse Source
This commit is contained in:
Pijus Kamandulis 2024-05-29 23:24:50 +03:00
parent d779db5d34
commit 16efa8acfe
3 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -51,6 +51,38 @@ mx2_wg:
public_key: <vpn gateway public key> public_key: <vpn gateway public key>
endpoint: <gateway ip>:21841 endpoint: <gateway ip>:21841
allowed_ips: 10.2.0.1/32 allowed_ips: 10.2.0.1/32
mx1_fw:
interfaces:
- name: vio0
allowed_tcp:
- 22 # SSH
- 80 # HTTP
- 443 # HTTPS
- 25 # SMTP Relay
- 587 # SMTP Submission
- 465 # SMTPS Submission
- 143 # IMAP
- 993 # IMAPS
- 4190 # Sive
allowed_udp:
- 21841 # Wireguard
- name: wg0
allowed_tcp:
- 22 # SSH
mx2_fw:
interfaces:
- name: vio0
allowed_tcp:
- 22 # SSH
- 80 # HTTP
- 443 # HTTPS
- 25 # SMTP Relay
allowed_udp:
- 21841 # Wireguard
- name: wg0
allowed_tcp:
- 22 # SSH
``` ```
The hosts are taken from the `inventory.yml` file: The hosts are taken from the `inventory.yml` file:
@ -95,6 +127,7 @@ Current ansible playbooks:
- installs nano, curl and git - installs nano, curl and git
- disables ssh password logins - disables ssh password logins
- adds ssh public key - adds ssh public key
- configures firewall
- 02-ssl.yml - generates ssl certificates and adds a renew cron job - 02-ssl.yml - generates ssl certificates and adds a renew cron job
- 03-mail.yml - installs and configures dovecot and opensmtpd - 03-mail.yml - installs and configures dovecot and opensmtpd
- 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver - 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver

13
ansible/01-initial_setup.yml
View File

@ -31,13 +31,26 @@
regexp: "^#?PasswordAuthentication" regexp: "^#?PasswordAuthentication"
line: "PasswordAuthentication no" line: "PasswordAuthentication no"
state: present state: present
register: sshd_config
- name: Restart SSH service to apply changes - name: Restart SSH service to apply changes
ansible.builtin.service: ansible.builtin.service:
name: sshd name: sshd
state: restarted state: restarted
when: sshd_config.changed
- name: Add SSH public key to authorized_keys - name: Add SSH public key to authorized_keys
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: root user: root
key: "{{ ssh_public_key }}" key: "{{ ssh_public_key }}"
- name: Configure firewall
template:
src: "templates/pf.conf.j2"
dest: /etc/pf.conf
validate: pfctl -n -f %s
register: pf
- name: Load config to pf if needed
command: pfctl -f /etc/pf.conf
when: pf.changed

30
ansible/templates/pf.conf.j2 Normal file
View File

@ -0,0 +1,30 @@
{% set _fw = lookup('vars', inventory_hostname + '_fw') %}
# {{ ansible_managed }}
# Skip filtering on the loopback interface
set skip on lo
# set up a default deny policy
block all
# Block remote X11 connections
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
{% for interface in _fw.interfaces %}
# Pass rules for the specific ports on the {{ interface.name }} interface
{% if (interface.allowed_tcp is defined) and interface.allowed_tcp %}
{% for port in interface.allowed_tcp %}
pass in on {{ interface.name }} proto tcp from any to any port {{ port }}
{% endfor %}
{% endif %}
{% if (interface.allowed_udp is defined) and interface.allowed_udp %}
{% for port in interface.allowed_udp %}
pass in on {{ interface.name }} proto udp from any to any port {{ port }}
{% endfor %}
{% endif %}
pass in on {{ interface.name }} proto icmp
# Pass out rule to allow outgoing traffic on the {{ interface.name }} interface
pass out on {{ interface.name }}
{% endfor %}