.
This commit is contained in:
jonas
parent
b49fdee359
commit
666e2271de
@ -29,9 +29,9 @@ Configure firewalld for external interface:
|
|||||||
- ssh
|
- ssh
|
||||||
- wireguard
|
- wireguard
|
||||||
|
|
||||||
Configure firewalld for internal network:
|
Configure firewalld for public networks:
|
||||||
firewalld.present:
|
firewalld.present:
|
||||||
- name: internal
|
- name: public
|
||||||
- prune_ports: True
|
- prune_ports: True
|
||||||
- prune_services: True
|
- prune_services: True
|
||||||
- prune_interfaces: True
|
- prune_interfaces: True
|
||||||
@ -41,34 +41,13 @@ Configure firewalld for internal network:
|
|||||||
- {{ pillar['wireguard']['iface'] }}
|
- {{ pillar['wireguard']['iface'] }}
|
||||||
- {{ pillar['network']['wireless'] }}
|
- {{ pillar['network']['wireless'] }}
|
||||||
- {{ pillar['network']['bridge'] }}
|
- {{ pillar['network']['bridge'] }}
|
||||||
- sources:
|
|
||||||
- {{ pillar['network']['ip'][0:-1] }}0/24
|
|
||||||
- services:
|
|
||||||
- ssh
|
|
||||||
- dhcp
|
|
||||||
- tftp
|
|
||||||
- http
|
|
||||||
- https
|
|
||||||
- dns
|
|
||||||
- ntp
|
|
||||||
- registry
|
|
||||||
- nfs
|
|
||||||
- nfs3
|
|
||||||
|
|
||||||
Configure firewalld for public networks:
|
|
||||||
firewalld.present:
|
|
||||||
- name: public
|
|
||||||
- prune_ports: True
|
|
||||||
- prune_services: True
|
|
||||||
- prune_interfaces: True
|
|
||||||
- prune_sources: True
|
|
||||||
- interfaces:
|
|
||||||
{% for vlan in pillar['network']['vlan'] -%}
|
{% for vlan in pillar['network']['vlan'] -%}
|
||||||
{% if vlan['zone'] == 'public' -%}
|
{% if vlan['zone'] == 'public' -%}
|
||||||
- vlan.{{ vlan['id'] }}
|
- vlan.{{ vlan['id'] }}
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- sources:
|
- sources:
|
||||||
|
- {{ pillar['network']['ip'][0:-1] }}0/24
|
||||||
{% for vlan in pillar['network']['vlan'] -%}
|
{% for vlan in pillar['network']['vlan'] -%}
|
||||||
{% set ip = vlan['address'] -%}
|
{% set ip = vlan['address'] -%}
|
||||||
{% if vlan['zone'] == 'public' -%}
|
{% if vlan['zone'] == 'public' -%}
|
||||||
@ -84,7 +63,8 @@ Configure firewalld for public networks:
|
|||||||
- dns
|
- dns
|
||||||
- ntp
|
- ntp
|
||||||
- registry
|
- registry
|
||||||
|
- nfs
|
||||||
|
- nfs3
|
||||||
|
|
||||||
Configure firewalld for airgap networks:
|
Configure firewalld for airgap networks:
|
||||||
firewalld.present:
|
firewalld.present:
|
||||||
@ -118,8 +98,8 @@ Configure firewalld for airgap networks:
|
|||||||
|
|
||||||
Add forwarding on Internal zone:
|
Add forwarding on Internal zone:
|
||||||
cmd.run:
|
cmd.run:
|
||||||
- name: firewall-cmd --permanent --zone=internal --add-forward
|
- name: firewall-cmd --permanent --zone=public --add-forward
|
||||||
- unless: bash -c "if [[ \"$(firewall-cmd --zone=internal --list-all | sed -n 's/.* forward. \(.*\)$/\1/p')\" = \"yes\" ]]; then exit 0; else exit 1;fi"
|
- unless: bash -c "if [[ \"$(firewall-cmd --zone=public --list-all | sed -n 's/.* forward. \(.*\)$/\1/p')\" = \"yes\" ]]; then exit 0; else exit 1;fi"
|
||||||
|
|
||||||
Reload firewalld:
|
Reload firewalld:
|
||||||
cmd.run:
|
cmd.run:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user