majic-ansible-roles Changeset

Changeset - eb9a1b525c77

Parent rev.

Child rev.

[Not reviewed]

0 4 3

Branko Majic (branko) - 9 years ago 2015-04-27 15:18:25
branko@majic.rs

MAR-12: Added documentation related to firewall for the common role. Added deployment of firewall rules for roles mail_server, prosody, and ldap_server.

7 files changed with 62 insertions and 6 deletions:

docs/rolereference.rst

roles/ldap_server/files/ferm_ldap.conf

roles/ldap_server/tasks/main.yml

roles/mail_server/files/ferm_mail.conf

roles/mail_server/tasks/main.yml

roles/prosody/files/ferm_xmpp.conf

roles/prosody/tasks/main.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -202,11 +202,11 @@ The role implements the following: @@
   itself, and provided they know the exact path of the file.
 * Deploys CA certificate files, normally used for truststore purposes, to
   ``/etc/ssl/certs/``.
 * Installs ferm (for iptables management), configuring a basic firewall which
   allows ICMP echo requests (PING), incoming connection on TCP port 22 (SSH),
   and also introduces rate-limitting for incoming ICMP echo request pacakges and
   (new) TCP connections. The rate-limitting is based on the source IP address,
   using the ``iptables hashlimit`` module.
 * Installs ``ferm`` (for iptables management), configuring a basic firewall
   which allows ICMP echo requests (PING), incoming connection on TCP port 22
   (SSH), and also introduces rate-limitting for incoming ICMP echo request
   pacakges and (new) TCP connections. The rate-limitting is based on the source
   IP address, using the ``iptables hashlimit`` module.
 Parameters
@@ @@ -388,6 +388,7 @@ The role implements the following: @@
   attribute will update corresponding group as well.
 * Configures permissions.
 * Creates LDAP entries.
 * Configures firewall to allow incoming connections to the LDAP server.
 Parameters
@@ @@ -522,6 +523,7 @@ The role implements the following: @@
 * Deploys XMPP TLS private key and certificate.
 * Installs Prosody.
 * Configures Prosody.
 * Configures firewall to allow incoming connections to the XMPP server.
 Prosody is configured as follows:
@@ @@ -636,6 +638,9 @@ The role implements the following: @@
 * Purges Exim4 configuration (just in case).
 * Installs SWAKS (utility for testing SMTP servers).
 * Sets-up the necessary directories and files under Postfix chroot.
 * Configures firewall to allow incoming connections to the mail server. This
   includes set-up of redirection from TCP port 26 to TCP port 25 (alternate SMTP
   to work around common network blocks).
 Deployed services are configured as follows:

roles/ldap_server/files/ferm_ldap.conf

➞

Show inline comments

@@ new file 100644 @@
 table filter {
     chain INPUT {
         proto tcp dport 389 ACCEPT;
+    }
+}
@@ \ No newline at end of file @@

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -74,3 +74,8 @@ @@
   ldap_entry: ""
   args: "{{ item }}"
   with_items: ldap_entries
 - name: Deploy firewall configuration for LDAP
   copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=640
   notify:
     - Restart ferm
@@ \ No newline at end of file @@

roles/mail_server/files/ferm_mail.conf

➞

Show inline comments

@@ new file 100644 @@
 table filter {
     chain INPUT {
         # SMTP (with alternative port)
         proto tcp dport 25 ACCEPT;
         proto tcp dport 26 ACCEPT;
         # IMAP
         proto tcp dport 143 ACCEPT;
         proto tcp dport 993 ACCEPT;
         # ManageSieve
         proto tcp dport 4190 ACCEPT;
+    }
+}
 table nat {
     chain PREROUTING {
         # Set-up redirection for alternate SMTP port (to avoid ISP/hotel blocks
         # etc).
         proto tcp dport 26 REDIRECT to-ports 25;
+    }
+}

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -137,3 +137,8 @@ @@
 - name: Enable Dovecot service
   service: name=dovecot enabled=yes state=started
 - name: Deploy firewall configuration for mail server
   copy: src="ferm_mail.conf" dest="/etc/ferm/conf.d/20-mail.conf" owner=root group=root mode=640
   notify:
     - Restart ferm
@@ \ No newline at end of file @@

roles/prosody/files/ferm_xmpp.conf

➞

Show inline comments

@@ new file 100644 @@
 table filter {
     chain INPUT {
         # XMPP client connections.
         proto tcp dport 5222 ACCEPT;
         proto tcp dport 5223 ACCEPT;
         # File proxying.
         proto tcp dport 5000 ACCEPT;
         # XMPP server connections.
         proto tcp dport 5269 ACCEPT;
+    }
+}
@@ \ No newline at end of file @@

roles/prosody/tasks/main.yml

➞

Show inline comments

@@ @@ -48,4 +48,9 @@ @@
     - Restart Prosody
 - name: Enable and start Prosody service
   service: name=prosody state=started
@@ \ No newline at end of file @@
   service: name=prosody state=started
 - name: Deploy firewall configuration for XMPP server
   copy: src="ferm_xmpp.conf" dest="/etc/ferm/conf.d/30-xmpp.conf" owner=root group=root mode=640
   notify:
     - Restart ferm
@@ \ No newline at end of file @@

0 comments (0 inline, 0 general)