cscfi / ansible-ferm-firewall Goto Github PK
View Code? Open in Web Editor NEWThis project forked from ant31-ansible/role-ferm-firewall
Ansible role to configure the firewall Ferm
ansible-ferm-firewall's People
Contributors
Watchers
Forkers
vosdevansible-ferm-firewall's Issues
/etc/ferm/ferm.conf is unmanaged
Installing ferm on my Ubuntu 18.04 or Debian 9.8 systems leaves me with a default /etc/ferm/ferm.conf (which seems reasonable :-) )
It contains firewall rules as well. These get mixed with your own rules. This file should be fully managed instead of only enforcing the @include line.
Second, why is there a difference between redhat and non-redhat systems regarding the ferm.d directory?
With this role RedHat systems are to use /etc/ferm/ferm.d and non-RedHat systemd get to use /etc/ferm.d. I don't see any reason for this. By default, ferm on Ubuntu (18.04) even comes with a /etc/ferm/ferm.d dir and an @include ferm.d; config option.
Example of /etc/ferm/ferm.conf after installing on Ubuntu 18.04:
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
domain (ip ip6) {
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow IPsec
proto udp dport 500 ACCEPT;
@if @eq($DOMAIN, ip) {
proto (esp ah) ACCEPT;
} @else {
proto (esp) ACCEPT;
}
# allow SSH connections
proto tcp dport ssh ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
}
@include ferm.d/;
And on Debian 9.8:
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow IPsec
proto udp dport 500 ACCEPT;
proto (esp ah) ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
# IPv6:
#domain ip6 {
# table filter {
# chain INPUT {
# policy ACCEPT;
# # ...
# }
# # ...
# }
#}
fermreloaded.changed is not registered
I had the problem that my fail2ban would never restart. The task [ferm : Ferm | If ferm_fail2ban is True - restart fail2ban as well if ferm is reloaded] always skips on me eventhough ferm_fail2ban is True and the firewall has reloaded.
ansible 2.7.5
TASK [ferm : Ferm | Create the default ferm conf files on non-RedHat] ***************************************
--- before: /etc/ferm.d/default.conf
+++ after: /home/nachtmerrie/.ansible/tmp/ansible-local-385301gVYg2/tmpnZGnHc/ferm.conf.j2
@@ -1,14 +1,14 @@
#Ansible managed. Version: 2019-04-18 09:18 by nachtmerrie
domain (ip ip6 ) table filter {
chain INPUT {
- # global policy!
+ # global policy.
policy DROP;
<snip>
changed: [testbox] => (item={'value': [{u'domains': [u'ip'<retracted>As shown above, ferm config has changed.
RUNNING HANDLER [ferm : reload ferm] ************************************************************************
changed: [testbox] => changed=true
The handler executed
but the task: Ferm | Reload ferm thinks nothing has changed
TASK [ferm : Ferm | Reload ferm] ****************************************************************************
ok: [testbox] => changed=false
I added two debug tasks to look at the variables' value:
TASK [ferm : Ferm | Display ferm_fail2ban] ******************************************************************
ok: [testbox] =>
ferm_fail2ban: true
TASK [ferm : Ferm | Display fermreloaded] *******************************************************************
ok: [testbox] =>
fermreloaded.changed: false
TASK [ferm : Ferm | If ferm_fail2ban is True - restart fail2ban as well if ferm is reloaded] ****************skipping: [testbox] => changed=false
skip_reason: Conditional result was False
As you can see above, fermreloaded.changed: false eventhough it did reload/restart my ferm.
get iptables -m state rules to work
We are having this issue on the NFS node.
iptables-restore < /tmp/1
fails when it has these lines:
-A INPUT --match state --state INVALID --jump DROP -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
Some module not loaded?
Should not create backup config files
Since ferm includes ALL files under the directory included in /etc/ferm.conf, it will also include the ansible backup files.
Support for ansible 2.5
TASK [ansible-role-ferm-firewall : Ferm | Include ferm.d directory on RedHat] ***
Tuesday 27 March 2018 10:25:45 +0000 (0:00:00.036) 0:00:45.474 *********
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: IndexError: list index out of range
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_Wsxbyo/ansible_module_lineinfile.py\", line 512, in \n main()\n File \"/tmp/ansible_Wsxbyo/ansible_module_lineinfile.py\", line 503, in main\n ins_aft, ins_bef, create, backup, backrefs, firstmatch)\n File \"/tmp/ansible_Wsxbyo/ansible_module_lineinfile.py\", line 337, in present\n elif b_lines[index[1] - 1].rstrip(b('\\r\\n')) != b_line:\nIndexError: list index out of range\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.