Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ufw manage defaults #85

Merged
merged 5 commits into from
May 22, 2016
Merged

Ufw manage defaults #85

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2750d6e
integrate ufw defaults management
fitz123 May 19, 2016
e34775b
ufw_manage_defaults README
fitz123 May 19, 2016
08da409
tag for ufw task changed to 'ufw'
fitz123 May 21, 2016
0f8937c
all ufw variables included into defaults file
fitz123 May 21, 2016
2f7a97f
fix task fail in case 'net.ipv6.conf.all.disable_ipv6' is not defined…
fitz123 May 21, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,11 @@ It will not:
* `os_security_suid_sgid_whitelist: []` - a list of paths which should not have their SUID/SGID bits altered
* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
* `os_security_packages_clean': true` - removes packages with known issues. See section packages.
* `ufw_manage_defaults` - true means apply all settings with ufw_ prefix
* `ufw_ipt_sysctl` - by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example: /etc/ufw/sysctl.conf.
* `ufw_default_input_policy` - DROP
* `ufw_default_output_policy` - ACCEPT
* `ufw_default_forward_policy` - DROP

## Packages

Expand Down
11 changes: 11 additions & 0 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,17 @@ os_security_init_prompt: true
# Require root password for single user mode. (rhel, centos)
os_security_init_single: false

# Apply ufw defaults
ufw_manage_defaults: true

# Disable IPT_SYSCTL in /etc/default/ufw
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add the default value /etc/ufw/sysctl.conf as a comment here so one knows what the os-default is?

ufw_ipt_sysctl: ''

# Default ufw policies
ufw_default_input_policy: 'DROP'
ufw_default_output_policy: 'ACCEPT'
ufw_default_forward_policy: 'DROP'

# CAUTION
# If you want to overwrite sysctl-variables,
# you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.
Expand Down
5 changes: 5 additions & 0 deletions tasks/sysctl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,8 @@
ignoreerrors: yes
with_dict: '{{ sysctl_rhel_config }}'
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'

- name: Apply ufw defaults
template: src="ufw.j2" dest=/etc/default/ufw
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
tags: dev
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that tag relevant? Maybe "ufw" is clearer.

44 changes: 44 additions & 0 deletions templates/ufw.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6={{ 'no' if sysctl_config['net.ipv6.conf.all.disable_ipv6'] == 1 else 'yes' }}

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="{{ ufw_default_input_policy }}"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="{{ ufw_default_output_policy }}"

# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="{{ ufw_default_forward_policy }}"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="{{ ufw_default_application_policy | default('SKIP') }}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now, every variable that can be defined, is in the vars or defaults files. This one is not, instead there's a default used. Would you mind setting ufw_default_application_policy: 'SKIP' in the defaults file and remove the default here? Just like you did with ufw_default_input_policy and the others.


# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS="{{ ufw_manage_builtins | default('no') }}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now, every variable that can be defined, is in the vars or defaults files. This one is not, instead there's a default used. Would you mind setting ufw_manage_builtins: 'no' in the defaults file and remove the default here? Just like you did with ufw_default_input_policy and the others.


#
# IPT backend
#
# only enable if using iptables backend and want to overwrite /etc/sysctl.conf
{% if ufw_ipt_sysctl == '' %}#{% endif %}IPT_SYSCTL={{ ufw_ipt_sysctl }}

# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="{{ ufw_ipt_modules | default('nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns') }}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now, every variable that can be defined, is in the vars or defaults files. This one is not, instead there's a default used. Would you mind setting ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns' in the defaults file and remove the default here? Just like you did with ufw_default_input_policy and the others.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, no probs, I wanted to hide some really rare used variables from user, but I can add all variables in defaults file if this is the "policy". Do I need to add them into README as well?