cscfi / ansible-ferm-firewall Goto Github PK
View Code? Open in Web Editor NEWThis project forked from ant31-ansible/role-ferm-firewall
Ansible role to configure the firewall Ferm
This project forked from ant31-ansible/role-ferm-firewall
Ansible role to configure the firewall Ferm
Installing ferm on my Ubuntu 18.04 or Debian 9.8 systems leaves me with a default /etc/ferm/ferm.conf (which seems reasonable :-) )
It contains firewall rules as well. These get mixed with your own rules. This file should be fully managed instead of only enforcing the @include
line.
Second, why is there a difference between redhat and non-redhat systems regarding the ferm.d directory?
With this role RedHat systems are to use /etc/ferm/ferm.d
and non-RedHat systemd get to use /etc/ferm.d
. I don't see any reason for this. By default, ferm on Ubuntu (18.04) even comes with a /etc/ferm/ferm.d
dir and an @include ferm.d;
config option.
Example of /etc/ferm/ferm.conf
after installing on Ubuntu 18.04:
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
domain (ip ip6) {
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow IPsec
proto udp dport 500 ACCEPT;
@if @eq($DOMAIN, ip) {
proto (esp ah) ACCEPT;
} @else {
proto (esp) ACCEPT;
}
# allow SSH connections
proto tcp dport ssh ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
}
@include ferm.d/;
And on Debian 9.8:
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow IPsec
proto udp dport 500 ACCEPT;
proto (esp ah) ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
# IPv6:
#domain ip6 {
# table filter {
# chain INPUT {
# policy ACCEPT;
# # ...
# }
# # ...
# }
#}
I had the problem that my fail2ban would never restart. The task [ferm : Ferm | If ferm_fail2ban is True - restart fail2ban as well if ferm is reloaded]
always skips on me eventhough ferm_fail2ban
is True and the firewall has reloaded.
ansible 2.7.5
TASK [ferm : Ferm | Create the default ferm conf files on non-RedHat] ***************************************
--- before: /etc/ferm.d/default.conf
+++ after: /home/nachtmerrie/.ansible/tmp/ansible-local-385301gVYg2/tmpnZGnHc/ferm.conf.j2
@@ -1,14 +1,14 @@
#Ansible managed. Version: 2019-04-18 09:18 by nachtmerrie
domain (ip ip6 ) table filter {
chain INPUT {
- # global policy!
+ # global policy.
policy DROP;
<snip>
changed: [testbox] => (item={'value': [{u'domains': [u'ip'<retracted>
As shown above, ferm config has changed.
RUNNING HANDLER [ferm : reload ferm] ************************************************************************
changed: [testbox] => changed=true
The handler executed
but the task: Ferm | Reload ferm
thinks nothing has changed
TASK [ferm : Ferm | Reload ferm] ****************************************************************************
ok: [testbox] => changed=false
I added two debug tasks to look at the variables' value:
TASK [ferm : Ferm | Display ferm_fail2ban] ******************************************************************
ok: [testbox] =>
ferm_fail2ban: true
TASK [ferm : Ferm | Display fermreloaded] *******************************************************************
ok: [testbox] =>
fermreloaded.changed: false
TASK [ferm : Ferm | If ferm_fail2ban is True - restart fail2ban as well if ferm is reloaded] ****************skipping: [testbox] => changed=false
skip_reason: Conditional result was False
As you can see above, fermreloaded.changed: false
eventhough it did reload/restart my ferm.
We are having this issue on the NFS node.
iptables-restore < /tmp/1
fails when it has these lines:
-A INPUT --match state --state INVALID --jump DROP -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
Some module not loaded?
Since ferm includes ALL files under the directory included in /etc/ferm.conf, it will also include the ansible backup files.
TASK [ansible-role-ferm-firewall : Ferm | Include ferm.d directory on RedHat] *** Tuesday 27 March 2018 10:25:45 +0000 (0:00:00.036) 0:00:45.474 ********* An exception occurred during task execution. To see the full traceback, use -vvv. The error was: IndexError: list index out of range fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_Wsxbyo/ansible_module_lineinfile.py\", line 512, in \n main()\n File \"/tmp/ansible_Wsxbyo/ansible_module_lineinfile.py\", line 503, in main\n ins_aft, ins_bef, create, backup, backrefs, firstmatch)\n File \"/tmp/ansible_Wsxbyo/ansible_module_lineinfile.py\", line 337, in present\n elif b_lines[index[1] - 1].rstrip(b('\\r\\n')) != b_line:\nIndexError: list index out of range\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.