majic-ansible-roles Changeset

Changeset - 3e6eaaff335e

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Branko Majic (branko) - 17 days ago 2024-09-02 23:56:41
branko@majic.rs

MAR-218: Update filter syntax for checking IPv4/IPv6 addreses.

2 files changed with 3 insertions and 3 deletions:

roles/common/tasks/main.yml

roles/common/templates/00-base.conf.j2

0 comments (0 inline, 0 general)

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -222,97 +222,97 @@ @@
     - Restart ferm
 - name: Deploy the patched ferm binary that disables use of legacy iptables
   copy:
     src: ferm_binary
     dest: /usr/sbin/ferm
     owner: root
     group: root
     mode: 0755
   notify:
     - Restart ferm
 - name: Install ferm (for firewall management)
   apt:
     name: ferm
     state: present
 - name: Configure ferm init script coniguration file
   copy:
     src: "ferm_default"
     dest: "/etc/default/ferm"
     owner: root
     group: root
     mode: 0644
   notify:
     - Restart ferm
 - name: Create directory for storing ferm configuration files
   file:
     dest: "/etc/ferm/conf.d/"
     state: directory
     owner: root
     group: root
     mode: 0750
 - name: Deploy main ferm configuration file
   copy:
     src: "ferm.conf"
     dest: "/etc/ferm/ferm.conf"
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart ferm
 - name: Verify maintenance_allowed_sources parameter
   fail:
     msg: "Items in maintenance_allowed_sources must IPv4/IPv6 addresses or subnets: {{ item }}"
-  when: "not (item | ipv4 or item | ipv6)"
+  when: "not (item is ansible.utils.ipv4_address or item is ansible.utils.ipv6_address)"
   with_items: "{{ maintenance_allowed_sources }}"
 - name: Deploy ferm base rules
   template:
     src: "00-base.conf.j2"
     dest: "/etc/ferm/conf.d/00-base.conf"
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart ferm
 - name: Enable and start ferm
   service:
     name: ferm
     state: started
     enabled: true
 - name: Deploy script for flushing legacy iptables rules
   copy:
     src: "legacy_iptables_rules.sh"
     dest: "/usr/local/sbin/drop_legacy_iptables_rules.sh"
     owner: root
     group: root
     mode: 0755
 - name: Drop legacy iptables rules
   command: "/usr/local/sbin/drop_legacy_iptables_rules.sh remove"
   register: legacy_iptables_rules
   changed_when: "'Removed legacy iptables for families' in legacy_iptables_rules.stdout"
   notify:
     - Restart ferm
 - name: Deploy script for validating server certificates
   copy:
     src: "check_certificate.sh"
     dest: "/usr/local/bin/check_certificate.sh"
     owner: root
     group: root
     mode: 0755
 - name: Set-up directory for holding configuration for certificate validation script
   file:
     path: "/etc/check_certificate"
     state: "directory"
     owner: root
     group: root
     mode: 0755

roles/common/templates/00-base.conf.j2

➞

Show inline comments

 #jinja2:trim_blocks:True,lstrip_blocks:True
 # IPv4
 domain ip {
     table filter {
         chain INPUT {
             policy DROP;
             interface lo ACCEPT;
             # Make sure not to allow flooding via ICMP ping packages by sending them
             # to flood chain before state module kicks in.
             proto icmp icmp-type echo-request jump flood;
             mod state state (ESTABLISHED RELATED) ACCEPT;
             # For TCP packages we perform floods checks after state module took care
             # of established and related connections.
             proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
             # Accept some common incoming connections.
             proto icmp icmp-type echo-request ACCEPT;
             proto tcp dport 22 ACCEPT;
 {% if maintenance %}
             # Validate source IP against list of allowed source addresses in maintenance mode.
             jump allowed_sources;
 {% endif %}
+        }
         # The flood chain is used for controlling the rate of the incoming connections.
         chain flood {
             # Rate-limit the ping requests.
             proto icmp icmp-type echo-request {
                 mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                     hashlimit-mode srcip hashlimit-name icmp RETURN;
                 DROP;
+            }
             # Rate-limit the TCP connections.
             proto tcp tcp-flags (FIN SYN RST ACK) SYN {
                 mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                     hashlimit-mode srcip hashlimit-name icmp RETURN;
                 LOG;
                 DROP;
+            }
+        }
 {% if maintenance %}
         # Resume processing for allowed source addresses, otherwise drop packets.
         chain allowed_sources {
             {% for source in maintenance_allowed_sources %}
-                {% if source | ipv4 %}
+                {% if source is ansible.utils.ipv4_address %}
             saddr {{ source }} RETURN;
                 {% endif %}
             {% endfor %}
             DROP;
+        }
 {% endif %}
+    }
+}
 # IPv6, same as IPv4 config, with addition of a couple of ICMP packets.
 domain ip6 {
     table filter {
         chain INPUT {
             policy DROP;
             interface lo ACCEPT;
             # Make sure not to allow flooding via ICMP ping packages by sending them
             # to flood chain before state module kicks in.
             proto icmp icmp-type echo-request jump flood;
             mod state state (ESTABLISHED RELATED) ACCEPT;
             # For TCP packages we perform floods checks after state module took care
             # of established and related connections.
             proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
             # ICMPv6 packets required for proper functioning of IPv6.
             proto icmp icmp-type router-advertisement ACCEPT;
             proto icmp icmp-type neighbor-solicitation ACCEPT;
             proto icmp icmp-type neighbor-advertisement ACCEPT;
             # Accept some common incoming connections.
             proto icmp icmp-type echo-request ACCEPT;
             proto tcp dport 22 ACCEPT;
 {% if maintenance %}
             # Validate source IP against list of allowed source addresses in maintenance mode.
             jump allowed_sources;
 {% endif %}
+        }
         # The flood chain is used for controlling the rate of the incoming connections.
         chain flood {
             # Rate-limit the ping requests.
             proto icmp icmp-type echo-request {
                 mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                     hashlimit-mode srcip hashlimit-name icmp RETURN;
                 DROP;
+            }
             # Rate-limit the TCP connections.
             proto tcp tcp-flags (FIN SYN RST ACK) SYN {
                 mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                     hashlimit-mode srcip hashlimit-name icmp RETURN;
                 LOG;
                 DROP;
+            }
+        }
 {% if maintenance %}
         # Resume processing for allowed source addresses, otherwise drop packets.
         chain allowed_sources {
             {% for source in maintenance_allowed_sources %}
-                {% if source | ipv6 %}
+                {% if source is ansible.utils.ipv4_address %}
             saddr {{ source }} RETURN;
                 {% endif %}
             {% endfor %}
             DROP;
+        }
 {% endif %}
+    }
+}

0 comments (0 inline, 0 general)