From 1a0d330ce30d854c8f3af06c75adef4a0d1fc269 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 24 May 2022 02:46:25 +0200 Subject: [PATCH] update.. --- host_vars/bbb-server.b3-bornim.netz.yml | 13 ++ host_vars/file-blkr.blkr.netz.yml | 15 ++ host_vars/ga-al-gw.oopen.de.yml | 4 + host_vars/zapata.opp.netz.yml | 6 + hosts | 12 +- roles/modify-ipt-gateway-ro/tasks/main.yml | 234 +++++++++++++++----- roles/modify-ipt-gateway/tasks/main.yml | 235 ++++++++++++++++----- 7 files changed, 403 insertions(+), 116 deletions(-) diff --git a/host_vars/bbb-server.b3-bornim.netz.yml b/host_vars/bbb-server.b3-bornim.netz.yml index e061a47..8b47ce3 100644 --- a/host_vars/bbb-server.b3-bornim.netz.yml +++ b/host_vars/bbb-server.b3-bornim.netz.yml @@ -179,6 +179,19 @@ samba_groups: samba_user: + + - name: b3-user + groups: + - buero + - team + - fnr + - praktikant + password: '20-buero_user-22!' + + - name: b3-prakti + groups: + - praktikant + password: '20-b3_praktikant-22%' - name: caroline groups: diff --git a/host_vars/file-blkr.blkr.netz.yml b/host_vars/file-blkr.blkr.netz.yml index b145d32..fa86bd3 100644 --- a/host_vars/file-blkr.blkr.netz.yml +++ b/host_vars/file-blkr.blkr.netz.yml @@ -75,6 +75,21 @@ sshd_macs: - hmac-sha2-512-etm@openssh.com - umac-128-etm@openssh.com +sshd_hostkeyalgorithms: + - ecdsa-sha2-nistp256-cert-v01@openssh.com + - ecdsa-sha2-nistp384-cert-v01@openssh.com + - ecdsa-sha2-nistp521-cert-v01@openssh.com + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + - rsa-sha2-256-cert-v01@openssh.com + - ssh-rsa-cert-v01@openssh.com + - ecdsa-sha2-nistp256 + - ecdsa-sha2-nistp384 + - ecdsa-sha2-nistp521 + - ssh-ed25519 + - rsa-sha2-512 + - rsa-sha2-256 + - ssh-rsa # --- # vars used by roles/common/tasks/apt.yml diff --git a/host_vars/ga-al-gw.oopen.de.yml b/host_vars/ga-al-gw.oopen.de.yml index 4cf7dc4..2e6b5b5 100644 --- a/host_vars/ga-al-gw.oopen.de.yml +++ b/host_vars/ga-al-gw.oopen.de.yml @@ -200,6 +200,10 @@ network_interfaces: - /sbin/ip route add 172.16.11.0/24 via 172.16.111.254 - /sbin/ip route add 172.16.12.0/24 via 172.16.111.254 - /sbin/ip route add 172.16.13.0/24 via 172.16.111.254 + # - FritzBox Novalishaus + - /sbin/ip route add 172.16.80.0/24 via 172.16.111.254 + # - DigitBox Novalishaus + - /sbin/ip route add 172.16.81.0/24 via 172.16.111.254 - device: eth4 diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index af47d43..ab7487b 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -237,6 +237,12 @@ samba_user: - beratung password: '20_cristina_18!' + - name: dori + groups: + - buero + - beratung + password: 'K4lt3r_hUnD' + - name: drucker groups: - buero diff --git a/hosts b/hosts index 0358c29..07b562e 100644 --- a/hosts +++ b/hosts @@ -34,7 +34,7 @@ gw-b3.oopen.de gw-blkr.oopen.de gw-d11.oopen.de gw-flr.oopen.de -gw-irights.oopen.de +gw-irights.irights.netz gw-km.oopen.de gw-mbr.oopen.de gw-opp.oopen.de @@ -53,7 +53,7 @@ gw-replacement2.local.netz k1371.dyndns.org ga-st-gw-ersatz.ga.netz -ga-st-gw.oopen.de +ga-st-gw-surf1.oopen.de ga-al-gw.oopen.de ga-nh-gw.oopen.de ga-st-lxc1.ga.netz @@ -214,7 +214,7 @@ gw-blkr.oopen.de gw-d11.oopen.de gw-flr.oopen.de gw-km.oopen.de -gw-irights.oopen.de +gw-irights.irights.netz gw-mbr.oopen.de gw-opp.oopen.de gw-km.oopen.de @@ -236,7 +236,7 @@ gw-replacement2.local.netz k1371.dyndns.org ga-st-gw-ersatz.ga.netz -ga-st-gw.oopen.de +ga-st-gw-surf1.oopen.de ga-al-gw.oopen.de ga-nh-gw.oopen.de @@ -1529,7 +1529,7 @@ gw-ak.oopen.de gw-akb.oopen.de gw-ckubu.local.netz gw-replacement.local.netz -gw-irights.oopen.de +gw-irights.irights.netz gw-km.oopen.de gw-mbr.oopen.de gw-opp.oopen.de @@ -1540,7 +1540,7 @@ gw-kb.oopen.de k1371.dyndns.org ga-st-gw-ersatz.ga.netz -ga-st-gw.oopen.de +ga-st-gw-surf1.oopen.de ga-al-gw.oopen.de ga-nh-gw.oopen.de diff --git a/roles/modify-ipt-gateway-ro/tasks/main.yml b/roles/modify-ipt-gateway-ro/tasks/main.yml index d2b3c5e..bd56eb2 100644 --- a/roles/modify-ipt-gateway-ro/tasks/main.yml +++ b/roles/modify-ipt-gateway-ro/tasks/main.yml @@ -108,95 +108,219 @@ notify: - Restart IPv6 Firewall +- name: addjust line 'adjust_kernel_parameters' (IPv6) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: '^adjust_kernel_parameters=' + line: '#adjust6_kernel_parameters=true' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + +- name: addjust line 'protect_against_several_attack' (IPv6) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: '^protect_against_several_attacks=' + line: '#protect6_against_several_attacks=true' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + # --- -# Allow local services from ALL extern netwoks +# Block Routers # --- -- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv4) is present - shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /ro/etc/ipt-firewall/main_ipv4.conf - register: allow_all_ext_traffic_to_local_service_ipv4_present +- name: Check if String 'drop_syn_flood..' (IPv4) is present + shell: grep -q -E "^#?drop_syn_flood=" /ro/etc/ipt-firewall/main_ipv4.conf + register: drop_syn_flood_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 1" - changed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 0" + failed_when: "drop_syn_flood_ipv4_present.rc > 1" + changed_when: "drop_syn_flood_ipv4_present.rc > 0" -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (allow_all_ext_traffic_to_local_service) +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (drop_syn_flood) blockinfile: path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*any_access_from_inet_networks' + insertafter: '^#?\s*protect_against_several_attacks=true' block: | - # ============= - # - Allow local services from ALL extern netwoks - # ============= + # Protection against syn-flooding + # + #drop_syn_flood=false - # - allow_all_ext_traffic_to_local_service + # - I have to say that fragments scare me more than anything. + # - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" + # - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such + # - fragments is very OS-dependent (see this paper for details). + # - I am not going to trust any fragments. + # - Log fragments just to see if we get any, and deny them too # - - # - allow_all_ext_traffic_to_local_service="local-address:port:protocol [local-address:port:protocol] .." + # - !! 'drop_fragments' does not work within telekom mobile connections !! # - - # - Note: - # - ===== - # - - Only 'tcp' and 'udp' are allowed valuse for protocol. - # - - # - Example: - # - allow extern traffic to service at 83.223.73.210 on port 1036 - # - allow extern traffic to https service at 83.223.73.204 - # - - # - allow_ext_net_to_local_service=" - # - 83.223.73.210:1036:tcp - # - 83.223.73.204:$standard_https_port:tcp - # - " - # - - # - Blank separated list - # - - allow_all_ext_traffic_to_local_service="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)" + #drop_fragments=true + + # drop new packages without syn flag + # + #drop_new_not_sync=true + + # drop invalid packages + # + #drop_invalid_state=true + + # drop packages with unusal flags + # + #drop_invalid_flags=true + + # Refuse private addresses on extern interfaces + # + # Refuse packets claiming to be from a + # Class A private network + # Class B private network + # Class C private network + # loopback interface + # Class D multicast address + # Class E reserved IP address + # broadcast address + #drop_spoofed=true + + # Don't allow spoofing from that server + # + #drop_spoofed_out=true + + # Refusing packets claiming to be to the loopback interface protects against + # source quench, whereby a machine can be told to slow itself down by an icmp source + # quench to the loopback. + #drop_ext_to_lo=true + marker: "# Marker set by modify-ipt-gateway.yml (drop_syn_flood)" when: - main_ipv4_exists.stat.exists - - allow_all_ext_traffic_to_local_service_ipv4_present is changed + - drop_syn_flood_ipv4_present is changed -- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv6) is present - shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /ro/etc/ipt-firewall/main_ipv6.conf - register: allow_all_ext_traffic_to_local_service_ipv6_present +- name: Check if String 'drop6_syn_flood..' (IPv6) is present + shell: grep -q -E "^#?drop6_syn_flood=" /ro/etc/ipt-firewall/main_ipv6.conf + register: drop6_syn_flood_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 1" - changed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 0" + failed_when: "drop6_syn_flood_ipv6_present.rc > 1" + changed_when: "drop6_syn_flood_ipv6_present.rc > 0" -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (allow_all_ext_traffic_to_local_service) +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (drop6_syn_flood) blockinfile: path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*any_access_from_inet_networks' + insertafter: '^#?\s*protect6_against_several_attacks=true' + block: | + + # Protection against syn-flooding + # + #drop6_syn_flood=false + + # drop new packages without syn flag + # + #drop6_new_not_sync=true + + # drop invalid packages + # + #drop6_invalid_state=true + + # drop packages with unusal flags + # + #drop6_invalid_flags=true + + # Refuse spoofed packets pretending to be from your IP address. + # + #drop6_from_own_ip=true + + # Refuse private addresses on extern interfaces + # + #drop6_spoofed=true + marker: "# Marker set by modify-ipt-gateway.yml (drop6_syn_flood)" + when: + - main_ipv6_exists.stat.exists + - drop6_syn_flood_ipv6_present is changed + + +# --- +# Block UDP/TCP Ports out +# --- + +- name: Check if String 'block_udp_extern_out_ports..' (IPv4) is present + shell: grep -q -E "^block_udp_extern_out_ports=" /ro/etc/ipt-firewall/main_ipv4.conf + register: block_udp_extern_out_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "block_udp_extern_out_ports_ipv4_present.rc > 1" + changed_when: "block_udp_extern_out_ports_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (block_udp_extern_out_ports) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*block_upnp_traffic_out' block: | # ============= - # - Allow local services from ALL extern netwoks + # --- Block UDP Ports out # ============= - # - allow_all_ext_traffic_to_local_service + # - UDP Ports to block (only extern out) # - - # - allow_all_ext_traffic_to_local_service="local-address,port,protocol [local-address,port,protocol] .." + # - Comma separated list of udp ports # - - # - Note: - # - ===== - # - - Only 'tcp' and 'udp' are allowed valuse for protocol. + block_udp_extern_out_ports="" + + + # ============= + # --- Block TCP Ports out + # ============= + + # - TCP Ports to block (only extern out) # - - # - Example: - # - allow extern traffic to service at 2a01:30:1fff:fd00::210 on port 1036 - # - allow extern traffic to https service at 2a01:30:1fff:fd00::204 + # - Comma separated list of tcp ports # - - # - allow_ext_net_to_local_service=" - # - 2a01:30:1fff:fd00::210,1036,tcp - # - 2a01:30:1fff:fd00::204,$standard_https_port,tcp - # - " + block_tcp_extern_out_ports="" + marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)" + when: + - main_ipv4_exists.stat.exists + - block_udp_extern_out_ports_ipv4_present is changed + +- name: Check if String 'block_udp_extern_out_ports..' (IPv6) is present + shell: grep -q -E "^block_udp_extern_out_ports=" /ro/etc/ipt-firewall/main_ipv6.conf + register: block_udp_extern_out_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "block_udp_extern_out_ports_ipv6_present.rc > 1" + changed_when: "block_udp_extern_out_ports_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (block_udp_extern_out_ports) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*block_upnp_traffic_out' + block: | + + + # ============= + # --- Block UDP Ports out + # ============= + + # - UDP Ports to block (only extern out) # - - # - Blank separated list + # - Comma separated list of udp ports # - - allow_all_ext_traffic_to_local_service="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)" + block_udp_extern_out_ports="" + + + # ============= + # --- Block TCP Ports out + # ============= + + # - TCP Ports to block (only extern out) + # - + # - Comma separated list of tcp ports + # - + block_tcp_extern_out_ports="" + marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)" when: - main_ipv6_exists.stat.exists - - allow_all_ext_traffic_to_local_service_ipv6_present is changed + - block_udp_extern_out_ports_ipv6_present is changed diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml index c7b1545..a5a8da4 100644 --- a/roles/modify-ipt-gateway/tasks/main.yml +++ b/roles/modify-ipt-gateway/tasks/main.yml @@ -100,96 +100,221 @@ notify: - Restart IPv6 Firewall +- name: addjust line 'adjust_kernel_parameters' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^adjust_kernel_parameters=' + line: '#adjust6_kernel_parameters=true' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + +- name: addjust line 'protect_against_several_attack' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^protect_against_several_attacks=' + line: '#protect6_against_several_attacks=true' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + # --- -# Allow local services from ALL extern netwoks +# Block Routers # --- -- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv4) is present - shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /etc/ipt-firewall/main_ipv4.conf - register: allow_all_ext_traffic_to_local_service_ipv4_present +- name: Check if String 'drop_syn_flood..' (IPv4) is present + shell: grep -q -E "^#?drop_syn_flood=" /etc/ipt-firewall/main_ipv4.conf + register: drop_syn_flood_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 1" - changed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 0" + failed_when: "drop_syn_flood_ipv4_present.rc > 1" + changed_when: "drop_syn_flood_ipv4_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_all_ext_traffic_to_local_service) +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (drop_syn_flood) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*any_access_from_inet_networks' + insertafter: '^#?\s*protect_against_several_attacks=true' block: | - # ============= - # - Allow local services from ALL extern netwoks - # ============= + # Protection against syn-flooding + # + #drop_syn_flood=false - # - allow_all_ext_traffic_to_local_service + # - I have to say that fragments scare me more than anything. + # - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" + # - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such + # - fragments is very OS-dependent (see this paper for details). + # - I am not going to trust any fragments. + # - Log fragments just to see if we get any, and deny them too # - - # - allow_all_ext_traffic_to_local_service="local-address:port:protocol [local-address:port:protocol] .." + # - !! 'drop_fragments' does not work within telekom mobile connections !! # - - # - Note: - # - ===== - # - - Only 'tcp' and 'udp' are allowed valuse for protocol. - # - - # - Example: - # - allow extern traffic to service at 83.223.73.210 on port 1036 - # - allow extern traffic to https service at 83.223.73.204 - # - - # - allow_ext_net_to_local_service=" - # - 83.223.73.210:1036:tcp - # - 83.223.73.204:$standard_https_port:tcp - # - " - # - - # - Blank separated list - # - - allow_all_ext_traffic_to_local_service="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)" + #drop_fragments=true + + # drop new packages without syn flag + # + #drop_new_not_sync=true + + # drop invalid packages + # + #drop_invalid_state=true + + # drop packages with unusal flags + # + #drop_invalid_flags=true + + # Refuse private addresses on extern interfaces + # + # Refuse packets claiming to be from a + # Class A private network + # Class B private network + # Class C private network + # loopback interface + # Class D multicast address + # Class E reserved IP address + # broadcast address + #drop_spoofed=true + + # Don't allow spoofing from that server + # + #drop_spoofed_out=true + + # Refusing packets claiming to be to the loopback interface protects against + # source quench, whereby a machine can be told to slow itself down by an icmp source + # quench to the loopback. + #drop_ext_to_lo=true + marker: "# Marker set by modify-ipt-gateway.yml (drop_syn_flood)" when: - main_ipv4_exists.stat.exists - - allow_all_ext_traffic_to_local_service_ipv4_present is changed + - drop_syn_flood_ipv4_present is changed -- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv6) is present - shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /etc/ipt-firewall/main_ipv6.conf - register: allow_all_ext_traffic_to_local_service_ipv6_present +- name: Check if String 'drop6_syn_flood..' (IPv6) is present + shell: grep -q -E "^#?drop6_syn_flood=" /etc/ipt-firewall/main_ipv6.conf + register: drop6_syn_flood_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 1" - changed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 0" + failed_when: "drop6_syn_flood_ipv6_present.rc > 1" + changed_when: "drop6_syn_flood_ipv6_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_all_ext_traffic_to_local_service) +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (drop6_syn_flood) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*any_access_from_inet_networks' + insertafter: '^#?\s*protect6_against_several_attacks=true' + block: | + + # Protection against syn-flooding + # + #drop6_syn_flood=false + + # drop new packages without syn flag + # + #drop6_new_not_sync=true + + # drop invalid packages + # + #drop6_invalid_state=true + + # drop packages with unusal flags + # + #drop6_invalid_flags=true + + # Refuse spoofed packets pretending to be from your IP address. + # + #drop6_from_own_ip=true + + # Refuse private addresses on extern interfaces + # + #drop6_spoofed=true + marker: "# Marker set by modify-ipt-gateway.yml (drop6_syn_flood)" + when: + - main_ipv6_exists.stat.exists + - drop6_syn_flood_ipv6_present is changed + + +# --- +# Block UDP/TCP Ports out +# --- + +- name: Check if String 'block_udp_extern_out_ports..' (IPv4) is present + shell: grep -q -E "^block_udp_extern_out_ports=" /etc/ipt-firewall/main_ipv4.conf + register: block_udp_extern_out_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "block_udp_extern_out_ports_ipv4_present.rc > 1" + changed_when: "block_udp_extern_out_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (block_udp_extern_out_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*block_upnp_traffic_out' block: | # ============= - # - Allow local services from ALL extern netwoks + # --- Block UDP Ports out # ============= - # - allow_all_ext_traffic_to_local_service + # - UDP Ports to block (only extern out) # - - # - allow_all_ext_traffic_to_local_service="local-address,port,protocol [local-address,port,protocol] .." + # - Comma separated list of udp ports # - - # - Note: - # - ===== - # - - Only 'tcp' and 'udp' are allowed valuse for protocol. + block_udp_extern_out_ports="" + + + # ============= + # --- Block TCP Ports out + # ============= + + # - TCP Ports to block (only extern out) # - - # - Example: - # - allow extern traffic to service at 2a01:30:1fff:fd00::210 on port 1036 - # - allow extern traffic to https service at 2a01:30:1fff:fd00::204 + # - Comma separated list of tcp ports # - - # - allow_ext_net_to_local_service=" - # - 2a01:30:1fff:fd00::210,1036,tcp - # - 2a01:30:1fff:fd00::204,$standard_https_port,tcp - # - " + block_tcp_extern_out_ports="${standard_turn_service_ports}" + marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)" + when: + - main_ipv4_exists.stat.exists + - block_udp_extern_out_ports_ipv4_present is changed + + +- name: Check if String 'block_udp_extern_out_ports..' (IPv6) is present + shell: grep -q -E "^block_udp_extern_out_ports=" /etc/ipt-firewall/main_ipv6.conf + register: block_udp_extern_out_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "block_udp_extern_out_ports_ipv6_present.rc > 1" + changed_when: "block_udp_extern_out_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (block_udp_extern_out_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*block_upnp_traffic_out' + block: | + + + # ============= + # --- Block UDP Ports out + # ============= + + # - UDP Ports to block (only extern out) # - - # - Blank separated list + # - Comma separated list of udp ports # - - allow_all_ext_traffic_to_local_service="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)" + block_udp_extern_out_ports="" + + + # ============= + # --- Block TCP Ports out + # ============= + + # - TCP Ports to block (only extern out) + # - + # - Comma separated list of tcp ports + # - + block_tcp_extern_out_ports="" + marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)" when: - main_ipv6_exists.stat.exists - - allow_all_ext_traffic_to_local_service_ipv6_present is changed + - block_udp_extern_out_ports_ipv6_present is changed # ---