imfreedom/ansible
Clone
Summary
Browse
Changes
Graph
Add the new status page server
18 months ago, Gary Kramlich
857238d79c83
Add the new status page server
---
-
name
:
install ufw
apt
:
name
:
ufw
state
:
present
force_apt_get
:
"yes"
tags
:
-
apt
-
name
:
disable ufw logging
ufw
:
# This takes a string, not a boolean, so "off" must be quoted.
logging
:
"off"
# This will fail if ufw is not installed.
ignore_errors
:
"{{
ansible_check_mode
}}"
-
name
:
enable ufw with a default deny policy
ufw
:
state
:
enabled
direction
:
incoming
policy
:
deny
# This will fail if ufw is not installed.
ignore_errors
:
"{{
ansible_check_mode
}}"
-
name
:
exempt certain networks from the SSH rate-limit
ufw
:
rule
:
allow
name
:
OpenSSH
src
:
"{{
item.address
}}"
loop
:
"{{
firewall_ssh_exempt_networks
}}"
loop_control
:
label
:
"{{
item.name
}}"
when
:
firewall_ssh_exempt_networks | length > 0
# This will fail if ufw is not installed.
ignore_errors
:
"{{
ansible_check_mode
}}"
tags
:
-
ssh
-
name
:
allow and rate-limit SSH
ufw
:
rule
:
limit
name
:
OpenSSH
# This will fail if ufw is not installed.
ignore_errors
:
"{{
ansible_check_mode
}}"
tags
:
-
ssh
# The default behavior of a TCP stack (e.g. with ufw disabled) is to reply to
# invalid TCP packets with a reset (RST). Since ufw uses connection tracking
# and drops (-j DROP) packets with a "ctstate" of "INVALID", this does not
# happen. Invalid TCP packets are simply dropped. This is problematic if the
# TCP packet corresponds to a previous connection and the server has rebooted
# (or a VIP has migrated to a different server). The remote client has to
# timeout, which can take a long time.
#
# This change adds an additional iptables rule to reject these with TCP resets
# (-j REJECT --reject-with tcp-reset). Note that this is subtly different
# from letting the TCP stack reply with an RST. This happens earlier in
# packet processing. I'm not sure if that actually matters, but if it does,
# it will be helpful rather than hurtful.
#
# This does make a system a bit less "steathly", as you can use invalid TCP
# packets to elicit a response. That is not a concern on servers, since they
# respond on well-known ports anyway.
#
# This should not create any opportunity for an amplification attack.
-
name
:
send TCP resets for invalid connections
lineinfile
:
path
:
"/etc/ufw/before{{
item
}}.rules"
insertbefore
:
>-
^-A ufw{{ item }}-before-input -m conntrack --ctstate INVALID -j DROP
line
:
>-
-A ufw{{ item }}-before-input -m conntrack --ctstate INVALID -p tcp
-j REJECT --reject-with tcp-reset
notify
:
-
reload ufw
loop
:
-
""
-
"6"
loop_control
:
label
:
"ip{{
item
}}"
# This will fail if ufw is not installed because the files will not exist.
ignore_errors
:
"{{
ansible_check_mode
}}"