From 6ccc79e9c4f97fffb51e81b722da57d8d14646d0 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 10 Feb 2022 23:18:52 +0100 Subject: [PATCH] update.. --- roles/modify-ipt-gateway-ro/tasks/main.yml | 995 +---------------- roles/modify-ipt-gateway/tasks/main.yml | 1123 +------------------- 2 files changed, 28 insertions(+), 2090 deletions(-) diff --git a/roles/modify-ipt-gateway-ro/tasks/main.yml b/roles/modify-ipt-gateway-ro/tasks/main.yml index 24f5c74..4fc3cba 100644 --- a/roles/modify-ipt-gateway-ro/tasks/main.yml +++ b/roles/modify-ipt-gateway-ro/tasks/main.yml @@ -48,542 +48,45 @@ # Adjust some lines # --- -- name: addjust line 'jitsi_tcp_ports' (IPv4) +- name: addjust line 'zoom_udp_ports' (IPv4) lineinfile: path: /ro/etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + regexp: '^zoom_udp_ports=' + line: 'zoom_udp_ports="$standard_zoom_udp_ports"' + when: + - main_ipv4_exists.stat.exists + notify: + - Restart IPv4 Firewall -- name: addjust line 'jitsi_tcp_ports' (IPv6) +- name: addjust line 'zoom_udp_ports' (IPv6) lineinfile: path: /ro/etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + regexp: '^zoom_udp_ports=' + line: 'zoom_udp_ports="$standard_zoom_udp_ports"' when: - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall - name: addjust line 'jitsi_udp_ports' (IPv4) lineinfile: path: /ro/etc/ipt-firewall/main_ipv4.conf regexp: '^jitsi_udp_ports=' - line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + line: 'jitsi_udp_ports="$standard_jitsi_udp_ports"' + when: + - main_ipv4_exists.stat.exists + notify: + - Restart IPv4 Firewall - name: addjust line 'jitsi_udp_ports' (IPv6) lineinfile: path: /ro/etc/ipt-firewall/main_ipv6.conf regexp: '^jitsi_udp_ports=' - line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + line: 'jitsi_udp_ports="$standard_jitsi_udp_ports"' when: - main_ipv6_exists.stat.exists - -- name: addjust line 'brscan_port' (IPv4) - lineinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - regexp: '^brscan_port=' - line: 'brscan_port="$standard_brother_brscan_port"' - -- name: addjust line 'brscan_port' (IPv6) - lineinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - regexp: '^brscan_port=' - line: 'brscan_port="$standard_brother_brscan_port"' - when: - - main_ipv6_exists.stat.exists - - -# --- -# allow_ms_skype_teams_out -# --- - -- name: Check if String 'allow_ms_skype_teams_out..' (IPv4) is present - shell: grep -q -E "^allow_ms_skype_teams_out=" /ro/etc/ipt-firewall/main_ipv4.conf - register: ms_skype_teams_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ms_skype_teams_out_ipv4_present.rc > 1" - changed_when: "ms_skype_teams_out_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (ms teams) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_ms_skype_teams_out' - line: 'allow_ms_skype_teams_out=true' - insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' - when: - - main_ipv4_exists.stat.exists - - ms_skype_teams_out_ipv4_present is changed - -- name: Check if String 'allow_ms_skype_teams_out..' (IPv6) is present - shell: grep -q -E "^allow_ms_skype_teams_out=" /ro/etc/ipt-firewall/main_ipv6.conf - register: ms_skype_teams_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "ms_skype_teams_out_ipv6_present.rc > 1" - changed_when: "ms_skype_teams_out_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (ms teams) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_ms_skype_teams_out' - line: 'allow_ms_skype_teams_out=true' - insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' - when: - - main_ipv6_exists.stat.exists - - ms_skype_teams_out_ipv6_present is changed - - -# --- -# allow_jitsi_video_conference_out -# --- - -- name: Check if String 'allow_jitsi_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_jitsi_video_conference_out=" /ro/etc/ipt-firewall/main_ipv4.conf - register: jitsi_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_video_conference_out_ipv4_present.rc > 1" - changed_when: "jitsi_video_conference_out_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_jitsi_video_conference_out' - line: 'allow_jitsi_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv4_exists.stat.exists - - jitsi_video_conference_out_ipv4_present is changed - -- name: Check if String 'allow_jitsi_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_jitsi_video_conference_out=" /ro/etc/ipt-firewall/main_ipv6.conf - register: jitsi_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "jitsi_video_conference_out_ipv6_present.rc > 1" - changed_when: "jitsi_video_conference_out_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_jitsi_video_conference_out' - line: 'allow_jitsi_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv6_exists.stat.exists - - jitsi_video_conference_out_ipv6_present is changed - -# --- -# allow_nc_talk_out -# --- - -- name: Check if String 'allow_nc_talk_out..' (IPv4) is present - shell: grep -q -E "^allow_nc_talk_out=" /ro/etc/ipt-firewall/main_ipv4.conf - register: nc_talk_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_talk_out_ipv4_present.rc > 1" - changed_when: "nc_talk_out_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (nc_talk) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_nc_talk_out' - line: 'allow_nc_talk_out=true' - insertafter: '^#?\s*allow_jitsi_video_conference_out' - when: - - main_ipv4_exists.stat.exists - - nc_talk_out_ipv4_present is changed - -- name: Check if String 'allow_nc_talk_out..' (IPv6) is present - shell: grep -q -E "^allow_nc_talk_out=" /ro/etc/ipt-firewall/main_ipv6.conf - register: nc_talk_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "nc_talk_out_ipv6_present.rc > 1" - changed_when: "nc_talk_out_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (nc_talk) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_nc_talk_out' - line: 'allow_nc_talk_out=true' - insertafter: '^#?\s*allow_jitsi_video_conference_out' - when: - - main_ipv6_exists.stat.exists - - nc_talk_out_ipv6_present is changed - - -# --- -# allow_webex_video_conference_out -# --- - -- name: Check if String 'allow_webex_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_webex_video_conference_out=" /ro/etc/ipt-firewall/main_ipv4.conf - register: webex_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "webex_video_conference_out_ipv4_present.rc > 1" - changed_when: "webex_video_conference_out_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (webex) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_webex_video_conference_out' - line: 'allow_webex_video_conference_out=true' - insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' - when: - - main_ipv4_exists.stat.exists - - webex_video_conference_out_ipv4_present is changed - -- name: Check if String 'allow_webex_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_webex_video_conference_out=" /ro/etc/ipt-firewall/main_ipv6.conf - register: webex_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "webex_video_conference_out_ipv6_present.rc > 1" - changed_when: "webex_video_conference_out_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (webex) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_webex_video_conference_out' - line: 'allow_webex_video_conference_out=true' - insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' - when: - - main_ipv6_exists.stat.exists - - webex_video_conference_out_ipv6_present is changed - - -# --- -# allow_alfaview_video_conference_out -# --- - -- name: Check if String 'allow_alfaview_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_alfaview_video_conference_out=" /ro/etc/ipt-firewall/main_ipv4.conf - register: alfaview_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "alfaview_video_conference_out_ipv4_present.rc > 1" - changed_when: "alfaview_video_conference_out_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (bigbluebutton) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_alfaview_video_conference_out' - line: 'allow_alfaview_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv4_exists.stat.exists - - alfaview_video_conference_out_ipv4_present is changed - -- name: Check if String 'allow_alfaview_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_alfaview_video_conference_out=" /ro/etc/ipt-firewall/main_ipv6.conf - register: alfaview_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "alfaview_video_conference_out_ipv6_present.rc > 1" - changed_when: "alfaview_video_conference_out_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (bigbluebutton) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_alfaview_video_conference_out' - line: 'allow_alfaview_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv6_exists.stat.exists - - alfaview_video_conference_out_ipv6_present is changed - - -# --- -# Remote VPN ports -# --- - -- name: Check if String '# Remote VPN ports..' (IPv4) is present - shell: grep -q -E "^# Remote VPN ports=" /ro/etc/ipt-firewall/main_ipv4.conf - register: vpn_out_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "vpn_out_ports_ipv4_present.rc > 1" - changed_when: "vpn_out_ports_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (Remote VPN ports) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*vpn_local_net_ports' - block: | - # Remote VPN ports - # - vpn_out_ports="$standard_vpn_port" - marker: "# Marker set by modify-ipt-gateway.yml (vpn_out_ports)" - when: - - main_ipv4_exists.stat.exists - - vpn_out_ports_ipv4_present is changed - -- name: Check if String '# Remote VPN ports..' (IPv6) is present - shell: grep -q -E "^# Remote VPN ports=" /ro/etc/ipt-firewall/main_ipv6.conf - register: vpn_out_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "vpn_out_ports_ipv6_present.rc > 1" - changed_when: "vpn_out_ports_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (Remote VPN ports) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_local_net_ports' - block: | - # Remote VPN ports - # - vpn_out_ports="$standard_vpn_port" - marker: "# Marker set by modify-ipt-gateway.yml (vpn_out_ports)" - when: - - main_ipv6_exists.stat.exists - - vpn_out_ports_ipv6_present is changed - - -# --- -# u.a. Cisco VPN -# --- - -- name: Check if String '# Remote WireGuard Ports..' (IPv4) is present - shell: grep -q -E "^# Remote WireGuard Ports" /ro/etc/ipt-firewall/main_ipv4.conf - register: wg_out_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "wg_out_ports_ipv4_present.rc > 1" - changed_when: "wg_out_ports_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (Cisco VPN) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*wg_local_net_ports' - block: | - # Remote WireGuard Ports - # - wg_out_ports="$standard_wg_port" - - - # ====== - # - Cisco VPN - # ====== - - cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" - cisco_vpn_out_protocol="esp" - marker: "# Marker set by modify-ipt-gateway.yml (cisco_vpn)" - when: - - main_ipv4_exists.stat.exists - - wg_out_ports_ipv4_present is changed - -- name: Check if String '# Remote WireGuard Ports..' (IPv6) is present - shell: grep -q -E "^# Remote WireGuard Ports" /ro/etc/ipt-firewall/main_ipv6.conf - register: wg_out_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "wg_out_ports_ipv6_present.rc > 1" - changed_when: "wg_out_ports_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (Cisco VPN) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*wg_local_net_ports' - block: | - # Remote WireGuard Ports - # - wg_out_ports="$standard_wg_port" - - - # ====== - # - Cisco VPN - # ====== - - cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" - cisco_vpn_out_protocol="esp" - marker: "# Marker set by modify-ipt-gateway.yml (cisco_vpn)" - when: - - main_ipv6_exists.stat.exists - - wg_out_ports_ipv6_present is changed - - -# --- -# WireGuard Service -# --- - -- name: Check if String 'local_wg_service..' (IPv4) is present - shell: grep -q -E "^local_wg_service=" /ro/etc/ipt-firewall/main_ipv4.conf - register: local_wg_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "local_wg_service_ipv4_present.rc > 1" - changed_when: "local_wg_service_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (local_wg_service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*vpn_local_net_ports' - block: | - - # ====== - # - WireGuard Service - # ====== - - # - WireGuard Service on Gateway? - # - - local_wg_service=true - wg_gw_ports="$standard_wg_port" - - # - WireGuard Services DMZ (reachable also from WAN) - # - - # - wg_server_dmz_arr=[]= - # - - # - Note: - # - Each extern interface can have only one thuch service - # - - # - wg_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 - # - wg_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 - # - - # - Multiple settins of this parameter is possible - # - - declare -A wg_server_dmz_arr - - # - Local WireGuard Ports - # - - # - Blank separated list - # - - wg_local_net_ports="$standard_wg_port" - marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)" - when: - - main_ipv4_exists.stat.exists - - local_wg_service_ipv4_present is changed - -- name: Check if String 'local_wg_service..' (IPv6) is present - shell: grep -q -E "^local_wg_service=" /ro/etc/ipt-firewall/main_ipv6.conf - register: local_wg_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "local_wg_service_ipv6_present.rc > 1" - changed_when: "local_wg_service_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (local_wg_service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_local_net_ports' - block: | - - # ====== - # - WireGuard Service - # ====== - - # - WireGuard Service on Gateway? - # - - local_wg_service=true - wg_gw_ports="$standard_wg_port" - - # - WireGuard Services DMZ (reachable also from WAN) - # - - # - wg_server_dmz_arr=[]= - # - - # - Note: - # - Each extern interface can have only one thuch service - # - - # - wg_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2 - # - wg_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1 - # - - # - Multiple settins of this parameter is possible - # - - declare -A wg_server_dmz_arr - - # - Local WireGuard Ports - # - - # - Blank separated list - # - - wg_local_net_ports="$standard_wg_port" - marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)" - when: - - main_ipv6_exists.stat.exists - - local_wg_service_ipv6_present is changed - - -- name: Check if String 'allow_wg_out..' (IPv4) is present - shell: grep -q -E "^allow_wg_out=" /ro/etc/ipt-firewall/main_ipv4.conf - register: allow_wg_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "allow_wg_out_ipv4_present.rc > 1" - changed_when: "allow_wg_out_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (allow_wg_out) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*vpn_out_ports' - block: | - # WireGuard - # - allow_wg_out=true - wg_out_ports="$standard_wg_port" - marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)" - when: - - main_ipv4_exists.stat.exists - - allow_wg_out_ipv4_present is changed - -- name: Check if String 'allow_wg_out..' (IPv6) is present - shell: grep -q -E "^allow_wg_out=" /ro/etc/ipt-firewall/main_ipv6.conf - register: allow_wg_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "allow_wg_out_ipv6_present.rc > 1" - changed_when: "allow_wg_out_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (allow_wg_out) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_out_ports' - block: | - # WireGuard - # - allow_wg_out=true - wg_out_ports="$standard_wg_port" - marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)" - when: - - main_ipv6_exists.stat.exists - - allow_wg_out_ipv6_present is changed - - -- name: Check if String 'wg_ifs..' (IPv4) is present - shell: grep -q -E "^wg_ifs=" /ro/etc/ipt-firewall/interfaces_ipv4.conf - register: wg_ifs_ipv4_present - when: interfaces_ipv4_exists.stat.exists - failed_when: "wg_ifs_ipv4_present.rc > 1" - changed_when: "wg_ifs_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs) - blockinfile: - path: /ro/etc/ipt-firewall/interfaces_ipv4.conf - insertafter: '^#?\s*vpn_ifs' - block: | - # - WireGuard Interfaces - # - - # - (blank separated list) - # - - wg_ifs="wg+" - marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)" - when: - - interfaces_ipv4_exists.stat.exists - - wg_ifs_ipv4_present is changed - -- name: Check if String 'wg_ifs..' (IPv6) is present - shell: grep -q -E "^wg_ifs=" /ro/etc/ipt-firewall/interfaces_ipv6.conf - register: wg_ifs_ipv6_present - when: interfaces_ipv6_exists.stat.exists - failed_when: "wg_ifs_ipv6_present.rc > 1" - changed_when: "wg_ifs_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs) - blockinfile: - path: /ro/etc/ipt-firewall/interfaces_ipv6.conf - insertafter: '^#?\s*vpn_ifs' - block: | - # - WireGuard Interfaces - # - - # - (blank separated list) - # - - wg_ifs="wg+" - marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)" - when: - - interfaces_ipv6_exists.stat.exists - - wg_ifs_ipv6_present is changed + notify: + - Restart IPv6 Firewall # --- @@ -677,284 +180,6 @@ -# --- -# Allow extern services / networks -# --- - -- name: Check if String 'allow_to_ext_service..' (IPv4) is present - shell: grep -q -E "^allow_to_ext_service=" /ro/etc/ipt-firewall/main_ipv4.conf - register: allow_to_ext_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "allow_to_ext_service_ipv4_present.rc > 1" - changed_when: "allow_to_ext_service_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (allow_to_ext_service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*allow_local_net_to_ext_net' - block: | - - # ============= - # - Allow extern service - # ============= - - # - allow_to_ext_service - # - - # - allow_to_ext_service=" [ext-ip:port:protocol> [.." - # - - # - All traffic to the given (extern) service is allowed - # - - # - Example: - # - allow_to_ext_service="83.223.86.98:3306:tcp - # - 83.223.86.98:10194:udp" - # - - # - Blank separated list - # - - allow_to_ext_service="" - - - - # ============= - # - Allow extern network - # ============= - - # - allow_to_ext_net - # - - # - Allow all traffic to given extern network - # - - # - allow_to_ext_net=" [ [.." - # - - # - All traffic to the given (extern) network is allowed - # - - # - Example: - # - allow_to_ext_net="83.223.86.98/32 - # - 83.223.86.101/32 - # - 192.68.11.81/27" - # - - # - Blank separated list - # - - allow_to_ext_net="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_to_ext_service)" - when: - - main_ipv4_exists.stat.exists - - allow_to_ext_service_ipv4_present is changed - -- name: Check if String 'allow_to_ext_service..' (IPv6) is present - shell: grep -q -E "^allow_to_ext_service=" /ro/etc/ipt-firewall/main_ipv6.conf - register: allow_to_ext_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "allow_to_ext_service_ipv6_present.rc > 1" - changed_when: "allow_to_ext_service_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (allow_to_ext_service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*allow_local_net_to_ext_net' - block: | - - # ============= - # - Allow extern service - # ============= - - # - allow_to_ext_service - # - - # - Allow all traffic to given extern service - # - - # - allow_to_ext_service=" [ext-ip,port,protocol> [.." - # - - # - All traffic to the given (extern) service is allowed - # - - # - Example: - # - allow_to_ext_service="2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp - # - 2a01:30:0:13:211:84ff:feb7:7f9c,10194,tcp" - # - - # - Blank separated list - # - - allow_to_ext_service="" - - - - # ============= - # - Allow extern network - # ============= - - # - allow_to_ext_net - # - - # - Allow all traffic to given extern network - # - - # - allow_to_ext_net=" [ [.." - # - - # - All traffic from the given (local) network to the given (extern) network is allowed - # - - # - Example: - # - allow_to_ext_net="2a01:30:0:13:211:84ff:feb7:7f9c/64 - # - 2001:678:a40:3000::/64" - # - - # - Blank separated list - # - - allow_to_ext_net="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_to_ext_service)" - when: - - main_ipv6_exists.stat.exists - - allow_to_ext_service_ipv6_present is changed - - - -# --- -# Epson Network Scanner -# --- - -- name: Check if String 'epson_scanner_ips..' (IPv4) is present - shell: grep -q -E "^epson_scanner_ips=" /ro/etc/ipt-firewall/main_ipv4.conf - register: epson_scanner_ips_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "epson_scanner_ips_ipv4_present.rc > 1" - changed_when: "epson_scanner_ips_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (epson_scanner) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*brscan_port' - block: | - # ====== - # - Epson Network Scan - # ====== - - # - IP Adresses Epson Network Scanner - # - - # - Blank seoarated list - # - - epson_scanner_ips="" - epson_scan_port="$standard_epson_network_scan_port" - - marker: "# Marker set by modify-ipt-gateway.yml (epson_scanner)" - when: - - main_ipv4_exists.stat.exists - - epson_scanner_ips_ipv4_present is changed - -- name: Check if String 'epson_scanner_ips..' (IPv6) is present - shell: grep -q -E "^epson_scanner_ips=" /ro/etc/ipt-firewall/main_ipv6.conf - register: epson_scanner_ips_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "epson_scanner_ips_ipv6_present.rc > 1" - changed_when: "epson_scanner_ips_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (epson_scanner) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*brscan_port' - block: | - # ====== - # - Epson Network Scan - # ====== - - # - IP Adresses Epson Network Scanner - # - - # - Blank seoarated list - # - - epson_scanner_ips="" - epson_scan_port="$standard_epson_network_scan_port" - - marker: "# Marker set by modify-ipt-gateway.yml (epson_scanner)" - when: - - main_ipv6_exists.stat.exists - - epson_scanner_ips_ipv6_present is changed - - -# --- -# Skype for Business Online und Microsoft Teams -# --- - -- name: Check if String 'ms_skype_teams_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^ms_skype_teams_tcp_ports=" /ro/etc/ipt-firewall/main_ipv4.conf - register: ms_skype_teams_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ms_skype_teams_ipv4_present.rc > 1" - changed_when: "ms_skype_teams_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (ms teams service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*bigbluebutton_udp_ports' - block: | - - # ====== - # - Skype for Business Online und Microsoft Teams - # ====== - - # - Skype for Business Online und Microsoft Teams - # - - # - TCP 80,443 - # - - # - UDP 3478,3479,3480,3481 --> 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 - # - - # - Example: - # - - # - standard_ms_skype_teams_tcp_ports="80,443" - # - standard_ms_skype_teams_udp4_ports="3478,3479,3480,3481" - # - standard_ms_skype_teams_udp4_hosts=" - # - 13.107.64.0/18 - # - 52.112.0.0/14 - # - 52.120.0.0/14 - # - " - # - - # - Set to default values: - # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" - # - ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports" - # - ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts" - # - - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" - ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports" - ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts" - marker: "# Marker set by modify-ipt-gateway.yml (ms teams service)" - when: - - main_ipv4_exists.stat.exists - - ms_skype_teams_ipv4_present is changed - -- name: Check if String 'ms_skype_teams_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^ms_skype_teams_tcp_ports=" /ro/etc/ipt-firewall/main_ipv6.conf - register: ms_skype_teams_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "ms_skype_teams_ipv6_present.rc > 1" - changed_when: "ms_skype_teams_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (ms teams service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*bigbluebutton_udp_ports' - block: | - - # ====== - # - Skype for Business Online und Microsoft Teams - # ====== - - # - Skype for Business Online und Microsoft Teams - # - - # - TCP 80,443 - # - - # - Example: - # - - # - standard_ms_skype_teams_tcp_ports="80,443" - # - standard_ms_skype_teams_udp6_ports="3478,3479,3480,3481" - # - standard_ms_skype_teams_udp6_hosts=" - # - 2a01:30:0:13:5054:ff:fe9f:422f/64 - # - 2a01:4f8:231:19a7::2/52 - # - " - # - - # - Set to default values: - # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" - # - ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" - # - ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" - # - - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" - ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" - ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" - marker: "# Marker set by modify-ipt-gateway.yml (ms teams service)" - when: - - main_ipv6_exists.stat.exists - - ms_skype_teams_ipv6_present is changed - - # --- # jitsi video conference service # --- @@ -1034,143 +259,6 @@ - jitsi_service_ipv6_present is changed -# --- -# webex video conference service -# --- - -- name: Check if String 'webex_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^webex_tcp_ports=" /ro/etc/ipt-firewall/main_ipv4.conf - register: webex_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "webex_service_ipv4_present.rc > 1" - changed_when: "webex_service_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (webex service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*bigbluebutton_udp_ports' - block: | - - # ====== - # - Webex Meeting - # ====== - - # - Webex Meeting (Videokonferenz) - # - - # - TCP 80/443: Outbound Client Zugriffsport und Webes Events (Audiostreaming) - # - - # - UDP 9000: Outbound (VoIP and RTP) - # - - # - --- - # - - # - TCP 5004: Fall-back ports for media connectivity when UDP port 9000 - # - is not open in the firewall - # - - webex_tcp_ports="$standard_webex_tcp_ports" - webex_udp_ports="$standard_webex_udp_ports" - - webex_tcp_fall_back_ports="$standard_webex_tcp_fall_back_ports" - marker: "# Marker set by modify-ipt-gateway.yml (webex service)" - when: - - main_ipv4_exists.stat.exists - - webex_service_ipv4_present is changed - -- name: Check if String 'webex_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^webex_tcp_ports=" /ro/etc/ipt-firewall/main_ipv6.conf - register: webex_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "webex_service_ipv6_present.rc > 1" - changed_when: "webex_service_ipv6_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (webex service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*bigbluebutton_udp_ports' - block: | - - # ====== - # - Webex Meeting - # ====== - - # - Webex Meeting (Videokonferenz) - # - - # - TCP 80/443: Outbound Client Zugriffsport und Webes Events (Audiostreaming) - # - - # - UDP 9000: Outbound (VoIP and RTP) - # - - # - --- - # - - # - TCP 5004: Fall-back ports for media connectivity when UDP port 9000 - # - is not open in the firewall - # - - webex_tcp_ports="$standard_webex_tcp_ports" - webex_udp_ports="$standard_webex_udp_ports" - - webex_tcp_fall_back_ports="$standard_webex_tcp_fall_back_ports" - marker: "# Marker set by modify-ipt-gateway.yml (webex service)" - when: - - main_ipv6_exists.stat.exists - - webex_service_ipv6_present is changed - - - -# --- -# alfaview video conference service -# --- - -- name: Check if String 'alfaview_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^alfaview_tcp_ports=" /ro/etc/ipt-firewall/main_ipv4.conf - register: alfaview_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "alfaview_service_ipv4_present.rc > 1" - changed_when: "alfaview_service_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (alfaview service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - alfaview - Video Conferencing Systems - # ====== - - # - alfaview Service Ports - # - - alfaview_tcp_ports="$standard_alfaview_service_tcp_ports" - alfaview_udp_ports="$standard_alfaview_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (alfaview service)" - when: - - main_ipv4_exists.stat.exists - - alfaview_service_ipv4_present is changed - -- name: Check if String 'alfaview_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^alfaview_tcp_ports=" /ro/etc/ipt-firewall/main_ipv6.conf - register: alfaview_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "alfaview_service_ipv6_present.rc > 1" - changed_when: "alfaview_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (alfaview service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - alfaview - Video Conferencing Systems - # ====== - - # - alfaview Service Ports - # - - alfaview_tcp_ports="$standard_alfaview_service_tcp_ports" - alfaview_udp_ports="$standard_alfaview_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (alfaview service)" - when: - - main_ipv6_exists.stat.exists - - alfaview_service_ipv6_present is changed - - # --- # TURN Server (Stun Server) (for Nextcloud 'talk' app) # --- @@ -1244,49 +332,6 @@ - nc_turn_service_ipv6_present is changed -# --- -# Allow Outbound Streamin / Echo360 Video Streaming -# --- - -- name: Check if String 'allow_outbound_streaming..' (IPv4) is present - shell: grep -q -E "^allow_outbound_streaming=" /ro/etc/ipt-firewall/main_ipv4.conf - register: allow_outbound_streaming_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "allow_outbound_streaming_ipv4_present.rc > 1" - changed_when: "allow_outbound_streaming_ipv4_present.rc > 0" - -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (allow_outbound_streaming) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*allow_mumble_request_out' - block: | - allow_outbound_streaming=true - allow_echo360_video_streaming=true - marker: "# Marker set by modify-ipt-gateway.yml (allow_outbound_streaming)" - when: - - main_ipv4_exists.stat.exists - - allow_outbound_streaming_ipv4_present is changed - -- name: Check if String 'allow_outbound_streaming..' (IPv6) is present - shell: grep -q -E "^allow_outbound_streaming=" /ro/etc/ipt-firewall/main_ipv6.conf - register: allow_outbound_streaming_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "allow_outbound_streaming_ipv6_present.rc > 1" - changed_when: "allow_outbound_streaming_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_outbound_streaming) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*allow_mumble_request_out' - block: | - allow_outbound_streaming=true - allow_echo360_video_streaming=true - marker: "# Marker set by modify-ipt-gateway.yml (allow_outbound_streaming)" - when: - - main_ipv6_exists.stat.exists - - allow_outbound_streaming_ipv6_present is changed - - # --- # Remove Marker set by blockinfile # --- diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml index bef3a71..baa0e3f 100644 --- a/roles/modify-ipt-gateway/tasks/main.yml +++ b/roles/modify-ipt-gateway/tasks/main.yml @@ -19,50 +19,42 @@ stat: path: /etc/ipt-firewall/main_ipv4.conf register: main_ipv4_exists - notify: - - Restart IPv4 Firewall - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists stat: path: /etc/ipt-firewall/main_ipv6.conf register: main_ipv6_exists - notify: - - Restart IPv6 Firewall - name: Check if file '/etc/ipt-firewall/interfaces_ipv4.conf' exists stat: path: /etc/ipt-firewall/interfaces_ipv4.conf register: interfaces_ipv4_exists - notify: - - Restart IPv4 Firewall - name: Check if file '/etc/ipt-firewall/interfaces_ipv6.conf' exists stat: path: /etc/ipt-firewall/interfaces_ipv6.conf register: interfaces_ipv6_exists - notify: - - Restart IPv6 Firewall # --- # Adjust some lines # --- -- name: addjust line 'jitsi_tcp_ports' (IPv4) +- name: addjust line 'zoom_udp_ports' (IPv4) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + regexp: '^zoom_udp_ports=' + line: 'zoom_udp_ports="$standard_zoom_udp_ports"' when: - main_ipv4_exists.stat.exists notify: - Restart IPv4 Firewall -- name: addjust line 'jitsi_tcp_ports' (IPv6) +- name: addjust line 'zoom_udp_ports' (IPv6) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + regexp: '^zoom_udp_ports=' + line: 'zoom_udp_ports="$"standard_zoom_udp_ports' when: - main_ipv6_exists.stat.exists notify: @@ -72,7 +64,7 @@ lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^jitsi_udp_ports=' - line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + line: 'jitsi_udp_ports="$standard_jitsi_udp_ports"' when: - main_ipv4_exists.stat.exists notify: @@ -82,576 +74,12 @@ lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^jitsi_udp_ports=' - line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + line: 'jitsi_udp_ports="$"standard_jitsi_udp_ports' when: - main_ipv6_exists.stat.exists notify: - Restart IPv6 Firewall -- name: addjust line 'brscan_port' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^brscan_port=' - line: 'brscan_port="$standard_brother_brscan_port"' - when: - - main_ipv4_exists.stat.exists - notify: - - Restart IPv4 Firewall - -- name: addjust line 'brscan_port' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^brscan_port=' - line: 'brscan_port="$standard_brother_brscan_port"' - when: - - main_ipv6_exists.stat.exists - notify: - - Restart IPv6 Firewall - - -# --- -# allow_ms_skype_teams_out -# --- - -- name: Check if String 'allow_ms_skype_teams_out..' (IPv4) is present - shell: grep -q -E "^allow_ms_skype_teams_out=" /etc/ipt-firewall/main_ipv4.conf - register: ms_skype_teams_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ms_skype_teams_out_ipv4_present.rc > 1" - changed_when: "ms_skype_teams_out_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ms teams) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_ms_skype_teams_out' - line: 'allow_ms_skype_teams_out=true' - insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' - when: - - main_ipv4_exists.stat.exists - - ms_skype_teams_out_ipv4_present is changed - -- name: Check if String 'allow_ms_skype_teams_out..' (IPv6) is present - shell: grep -q -E "^allow_ms_skype_teams_out=" /etc/ipt-firewall/main_ipv6.conf - register: ms_skype_teams_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "ms_skype_teams_out_ipv6_present.rc > 1" - changed_when: "ms_skype_teams_out_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ms teams) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_ms_skype_teams_out' - line: 'allow_ms_skype_teams_out=true' - insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' - when: - - main_ipv6_exists.stat.exists - - ms_skype_teams_out_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# allow_jitsi_video_conference_out -# --- - -- name: Check if String 'allow_jitsi_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_jitsi_video_conference_out=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_video_conference_out_ipv4_present.rc > 1" - changed_when: "jitsi_video_conference_out_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_jitsi_video_conference_out' - line: 'allow_jitsi_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv4_exists.stat.exists - - jitsi_video_conference_out_ipv4_present is changed - -- name: Check if String 'allow_jitsi_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_jitsi_video_conference_out=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "jitsi_video_conference_out_ipv6_present.rc > 1" - changed_when: "jitsi_video_conference_out_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_jitsi_video_conference_out' - line: 'allow_jitsi_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv6_exists.stat.exists - - jitsi_video_conference_out_ipv6_present is changed - notify: - - Restart IPv6 Firewall - -# --- -# allow_nc_talk_out -# --- - -- name: Check if String 'allow_nc_talk_out..' (IPv4) is present - shell: grep -q -E "^allow_nc_talk_out=" /etc/ipt-firewall/main_ipv4.conf - register: nc_talk_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_talk_out_ipv4_present.rc > 1" - changed_when: "nc_talk_out_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc_talk) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_nc_talk_out' - line: 'allow_nc_talk_out=true' - insertafter: '^#?\s*allow_jitsi_video_conference_out' - when: - - main_ipv4_exists.stat.exists - - nc_talk_out_ipv4_present is changed - -- name: Check if String 'allow_nc_talk_out..' (IPv6) is present - shell: grep -q -E "^allow_nc_talk_out=" /etc/ipt-firewall/main_ipv6.conf - register: nc_talk_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "nc_talk_out_ipv6_present.rc > 1" - changed_when: "nc_talk_out_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (nc_talk) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_nc_talk_out' - line: 'allow_nc_talk_out=true' - insertafter: '^#?\s*allow_jitsi_video_conference_out' - when: - - main_ipv6_exists.stat.exists - - nc_talk_out_ipv6_present is changed - -# --- -# allow_bigbluebutton_video_conference_out -# --- - -- name: Check if String 'allow_bigbluebutton_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_bigbluebutton_video_conference_out=" /etc/ipt-firewall/main_ipv4.conf - register: bigbluebutton_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "bigbluebutton_video_conference_out_ipv4_present.rc > 1" - changed_when: "bigbluebutton_video_conference_out_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (bigbluebutton) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_bigbluebutton_video_conference_out' - line: 'allow_bigbluebutton_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv4_exists.stat.exists - - bigbluebutton_video_conference_out_ipv4_present is changed - -- name: Check if String 'allow_bigbluebutton_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_bigbluebutton_video_conference_out=" /etc/ipt-firewall/main_ipv6.conf - register: bigbluebutton_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "bigbluebutton_video_conference_out_ipv6_present.rc > 1" - changed_when: "bigbluebutton_video_conference_out_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (bigbluebutton) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_bigbluebutton_video_conference_out' - line: 'allow_bigbluebutton_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv6_exists.stat.exists - - bigbluebutton_video_conference_out_ipv6_present is changed - - -# --- -# allow_webex_video_conference_out -# --- - -- name: Check if String 'allow_webex_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_webex_video_conference_out=" /etc/ipt-firewall/main_ipv4.conf - register: webex_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "webex_video_conference_out_ipv4_present.rc > 1" - changed_when: "webex_video_conference_out_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (webex) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_webex_video_conference_out' - line: 'allow_webex_video_conference_out=true' - insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' - when: - - main_ipv4_exists.stat.exists - - webex_video_conference_out_ipv4_present is changed - -- name: Check if String 'allow_webex_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_webex_video_conference_out=" /etc/ipt-firewall/main_ipv6.conf - register: webex_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "webex_video_conference_out_ipv6_present.rc > 1" - changed_when: "webex_video_conference_out_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (webex) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_webex_video_conference_out' - line: 'allow_webex_video_conference_out=true' - insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' - when: - - main_ipv6_exists.stat.exists - - webex_video_conference_out_ipv6_present is changed - - -# --- -# allow_alfaview_video_conference_out -# --- - -- name: Check if String 'allow_alfaview_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_alfaview_video_conference_out=" /etc/ipt-firewall/main_ipv4.conf - register: alfaview_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "alfaview_video_conference_out_ipv4_present.rc > 1" - changed_when: "alfaview_video_conference_out_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (bigbluebutton) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_alfaview_video_conference_out' - line: 'allow_alfaview_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv4_exists.stat.exists - - alfaview_video_conference_out_ipv4_present is changed - -- name: Check if String 'allow_alfaview_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_alfaview_video_conference_out=" /etc/ipt-firewall/main_ipv6.conf - register: alfaview_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "alfaview_video_conference_out_ipv6_present.rc > 1" - changed_when: "alfaview_video_conference_out_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (bigbluebutton) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_alfaview_video_conference_out' - line: 'allow_alfaview_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv6_exists.stat.exists - - alfaview_video_conference_out_ipv6_present is changed - - -# --- -# Remote VPN ports -# --- - -- name: Check if String '# Remote VPN ports..' (IPv4) is present - shell: grep -q -E "^# Remote VPN ports" /etc/ipt-firewall/main_ipv4.conf - register: vpn_out_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "vpn_out_ports_ipv4_present.rc > 1" - changed_when: "vpn_out_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (Remote VPN ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*vpn_local_net_ports' - block: | - - # Remote VPN ports - # - vpn_out_ports="$standard_vpn_port" - marker: "# Marker set by modify-ipt-gateway.yml (vpn_out_ports)" - when: - - main_ipv4_exists.stat.exists - - vpn_out_ports_ipv4_present is changed - -- name: Check if String '# Remote VPN ports..' (IPv6) is present - shell: grep -q -E "^# Remote VPN ports" /etc/ipt-firewall/main_ipv6.conf - register: vpn_out_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "vpn_out_ports_ipv6_present.rc > 1" - changed_when: "vpn_out_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (Remote VPN ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_local_net_ports' - block: | - - # Remote VPN ports - # - vpn_out_ports="$standard_vpn_port" - marker: "# Marker set by modify-ipt-gateway.yml (vpn_out_ports)" - when: - - main_ipv6_exists.stat.exists - - vpn_out_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -# --- -# u.a. Cisco VPN -# --- - -- name: Check if String '# Remote WireGuard Ports..' (IPv4) is present - shell: grep -q -E "^# Remote WireGuard Ports" /etc/ipt-firewall/main_ipv4.conf - register: wg_out_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "wg_out_ports_ipv4_present.rc > 1" - changed_when: "wg_out_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (Cisco VPN) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*wg_local_net_ports' - block: | - # Remote WireGuard Ports - # - wg_out_ports="$standard_wg_port" - - - # ====== - # - Cisco VPN - # ====== - - cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" - cisco_vpn_out_protocol="esp" - marker: "# Marker set by modify-ipt-gateway.yml (cisco_vpn)" - when: - - main_ipv4_exists.stat.exists - - wg_out_ports_ipv4_present is changed - -- name: Check if String '# Remote WireGuard Ports..' (IPv6) is present - shell: grep -q -E "^# Remote WireGuard Ports" /etc/ipt-firewall/main_ipv6.conf - register: wg_out_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "wg_out_ports_ipv6_present.rc > 1" - changed_when: "wg_out_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (Cisco VPN) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*wg_local_net_ports' - block: | - # Remote WireGuard Ports - # - wg_out_ports="$standard_wg_port" - - - # ====== - # - Cisco VPN - # ====== - - cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" - cisco_vpn_out_protocol="esp" - marker: "# Marker set by modify-ipt-gateway.yml (cisco_vpn)" - when: - - main_ipv6_exists.stat.exists - - wg_out_ports_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -# --- -# WireGuard Service -# --- - -- name: Check if String 'local_wg_service..' (IPv4) is present - shell: grep -q -E "^local_wg_service=" /etc/ipt-firewall/main_ipv4.conf - register: local_wg_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "local_wg_service_ipv4_present.rc > 1" - changed_when: "local_wg_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_wg_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*vpn_local_net_ports' - block: | - - # ====== - # - WireGuard Service - # ====== - - # - WireGuard Service on Gateway? - # - - local_wg_service=true - wg_gw_ports="$standard_wg_port" - - # - WireGuard Services DMZ (reachable also from WAN) - # - - # - wg_server_dmz_arr=[]= - # - - # - Note: - # - Each extern interface can have only one thuch service - # - - # - wg_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 - # - wg_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 - # - - # - Multiple settins of this parameter is possible - # - - declare -A wg_server_dmz_arr - - # - Local WireGuard Ports - # - - # - Blank separated list - # - - wg_local_net_ports="$standard_wg_port" - marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)" - when: - - main_ipv4_exists.stat.exists - - local_wg_service_ipv4_present is changed - -- name: Check if String 'local_wg_service..' (IPv6) is present - shell: grep -q -E "^local_wg_service=" /etc/ipt-firewall/main_ipv6.conf - register: local_wg_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "local_wg_service_ipv6_present.rc > 1" - changed_when: "local_wg_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_wg_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_local_net_ports' - block: | - - # ====== - # - WireGuard Service - # ====== - - # - WireGuard Service on Gateway? - # - - local_wg_service=true - wg_gw_ports="$standard_wg_port" - - # - WireGuard Services DMZ (reachable also from WAN) - # - - # - wg_server_dmz_arr=[]= - # - - # - Note: - # - Each extern interface can have only one thuch service - # - - # - wg_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2 - # - wg_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1 - # - - # - Multiple settins of this parameter is possible - # - - declare -A wg_server_dmz_arr - - # - Local WireGuard Ports - # - - # - Blank separated list - # - - wg_local_net_ports="$standard_wg_port" - marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)" - when: - - main_ipv6_exists.stat.exists - - local_wg_service_ipv6_present is changed - - -- name: Check if String 'allow_wg_out..' (IPv4) is present - shell: grep -q -E "^allow_wg_out=" /etc/ipt-firewall/main_ipv4.conf - register: allow_wg_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "allow_wg_out_ipv4_present.rc > 1" - changed_when: "allow_wg_out_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_wg_out) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*vpn_out_ports' - block: | - # WireGuard - # - allow_wg_out=true - wg_out_ports="$standard_wg_port" - marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)" - when: - - main_ipv4_exists.stat.exists - - allow_wg_out_ipv4_present is changed - -- name: Check if String 'allow_wg_out..' (IPv6) is present - shell: grep -q -E "^allow_wg_out=" /etc/ipt-firewall/main_ipv6.conf - register: allow_wg_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "allow_wg_out_ipv6_present.rc > 1" - changed_when: "allow_wg_out_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_wg_out) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_out_ports' - block: | - # WireGuard - # - allow_wg_out=true - wg_out_ports="$standard_wg_port" - marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)" - when: - - main_ipv6_exists.stat.exists - - allow_wg_out_ipv6_present is changed - - -- name: Check if String 'wg_ifs..' (IPv4) is present - shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv4.conf - register: wg_ifs_ipv4_present - when: interfaces_ipv4_exists.stat.exists - failed_when: "wg_ifs_ipv4_present.rc > 1" - changed_when: "wg_ifs_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - insertafter: '^#?\s*vpn_ifs' - block: | - # - WireGuard Interfaces - # - - # - (blank separated list) - # - - wg_ifs="wg+" - marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)" - when: - - interfaces_ipv4_exists.stat.exists - - wg_ifs_ipv4_present is changed - -- name: Check if String 'wg_ifs..' (IPv6) is present - shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv6.conf - register: wg_ifs_ipv6_present - when: interfaces_ipv6_exists.stat.exists - failed_when: "wg_ifs_ipv6_present.rc > 1" - changed_when: "wg_ifs_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - insertafter: '^#?\s*vpn_ifs' - block: | - # - WireGuard Interfaces - # - - # - (blank separated list) - # - - wg_ifs="wg+" - marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)" - when: - - interfaces_ipv6_exists.stat.exists - - wg_ifs_ipv6_present is changed - # --- # Allow local services from ALL extern netwoks @@ -744,284 +172,6 @@ - allow_all_ext_traffic_to_local_service_ipv6_present is changed -# --- -# Allow extern services / networks -# --- - -- name: Check if String 'allow_to_ext_service..' (IPv4) is present - shell: grep -q -E "^allow_to_ext_service=" /etc/ipt-firewall/main_ipv4.conf - register: allow_to_ext_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "allow_to_ext_service_ipv4_present.rc > 1" - changed_when: "allow_to_ext_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_to_ext_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*allow_local_net_to_ext_net' - block: | - - # ============= - # - Allow extern service - # ============= - - # - allow_to_ext_service - # - - # - allow_to_ext_service=" [ext-ip:port:protocol> [.." - # - - # - All traffic to the given (extern) service is allowed - # - - # - Example: - # - allow_to_ext_service="83.223.86.98:3306:tcp - # - 83.223.86.98:10194:udp" - # - - # - Blank separated list - # - - allow_to_ext_service="" - - - - # ============= - # - Allow extern network - # ============= - - # - allow_to_ext_net - # - - # - Allow all traffic to given extern network - # - - # - allow_to_ext_net=" [ [.." - # - - # - All traffic to the given (extern) network is allowed - # - - # - Example: - # - allow_to_ext_net="83.223.86.98/32 - # - 83.223.86.101/32 - # - 192.68.11.81/27" - # - - # - Blank separated list - # - - allow_to_ext_net="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_to_ext_service)" - when: - - main_ipv4_exists.stat.exists - - allow_to_ext_service_ipv4_present is changed - - -- name: Check if String 'allow_to_ext_service..' (IPv6) is present - shell: grep -q -E "^allow_to_ext_service=" /etc/ipt-firewall/main_ipv6.conf - register: allow_to_ext_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "allow_to_ext_service_ipv6_present.rc > 1" - changed_when: "allow_to_ext_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_to_ext_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*allow_local_net_to_ext_net' - block: | - - # ============= - # - Allow extern service - # ============= - - # - allow_to_ext_service - # - - # - Allow all traffic to given extern service - # - - # - allow_to_ext_service=" [ext-ip,port,protocol> [.." - # - - # - All traffic to the given (extern) service is allowed - # - - # - Example: - # - allow_to_ext_service="2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp - # - 2a01:30:0:13:211:84ff:feb7:7f9c,10194,tcp" - # - - # - Blank separated list - # - - allow_to_ext_service="" - - - - # ============= - # - Allow extern network - # ============= - - # - allow_to_ext_net - # - - # - Allow all traffic to given extern network - # - - # - allow_to_ext_net=" [ [.." - # - - # - All traffic from the given (local) network to the given (extern) network is allowed - # - - # - Example: - # - allow_to_ext_net="2a01:30:0:13:211:84ff:feb7:7f9c/64 - # - 2001:678:a40:3000::/64" - # - - # - Blank separated list - # - - allow_to_ext_net="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_to_ext_service)" - when: - - main_ipv6_exists.stat.exists - - allow_to_ext_service_ipv6_present is changed - - -# --- -# Epson Network Scanner -# --- - -- name: Check if String 'epson_scanner_ips..' (IPv4) is present - shell: grep -q -E "^epson_scanner_ips=" /etc/ipt-firewall/main_ipv4.conf - register: epson_scanner_ips_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "epson_scanner_ips_ipv4_present.rc > 1" - changed_when: "epson_scanner_ips_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (epson_scanner) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*brscan_port' - block: | - # ====== - # - Epson Network Scan - # ====== - - # - IP Adresses Epson Network Scanner - # - - # - Blank seoarated list - # - - epson_scanner_ips="" - epson_scan_port="$standard_epson_network_scan_port" - - marker: "# Marker set by modify-ipt-gateway.yml (epson_scanner)" - when: - - main_ipv4_exists.stat.exists - - epson_scanner_ips_ipv4_present is changed - -- name: Check if String 'epson_scanner_ips..' (IPv6) is present - shell: grep -q -E "^epson_scanner_ips=" /etc/ipt-firewall/main_ipv6.conf - register: epson_scanner_ips_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "epson_scanner_ips_ipv6_present.rc > 1" - changed_when: "epson_scanner_ips_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (epson_scanner) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*brscan_port' - block: | - # ====== - # - Epson Network Scan - # ====== - - # - IP Adresses Epson Network Scanner - # - - # - Blank seoarated list - # - - epson_scanner_ips="" - epson_scan_port="$standard_epson_network_scan_port" - - marker: "# Marker set by modify-ipt-gateway.yml (epson_scanner)" - when: - - main_ipv6_exists.stat.exists - - epson_scanner_ips_ipv6_present is changed - - -# --- -# Skype for Business Online und Microsoft Teams -# --- - -- name: Check if String 'ms_skype_teams_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^ms_skype_teams_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf - register: ms_skype_teams_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ms_skype_teams_ipv4_present.rc > 1" - changed_when: "ms_skype_teams_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ms teams service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*bigbluebutton_udp_ports' - block: | - - # ====== - # - Skype for Business Online und Microsoft Teams - # ====== - - # - Skype for Business Online und Microsoft Teams - # - - # - TCP 80,443 - # - - # - UDP 3478,3479,3480,3481 --> 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 - # - - # - Example: - # - - # - standard_ms_skype_teams_tcp_ports="80,443" - # - standard_ms_skype_teams_udp4_ports="3478,3479,3480,3481" - # - standard_ms_skype_teams_udp4_hosts=" - # - 13.107.64.0/18 - # - 52.112.0.0/14 - # - 52.120.0.0/14 - # - " - # - - # - Set to default values: - # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" - # - ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports" - # - ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts" - # - - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" - ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports" - ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts" - marker: "# Marker set by modify-ipt-gateway.yml (ms teams service)" - when: - - main_ipv4_exists.stat.exists - - ms_skype_teams_ipv4_present is changed - -- name: Check if String 'ms_skype_teams_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^ms_skype_teams_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf - register: ms_skype_teams_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "ms_skype_teams_ipv6_present.rc > 1" - changed_when: "ms_skype_teams_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ms teams service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*bigbluebutton_udp_ports' - block: | - - # ====== - # - Skype for Business Online und Microsoft Teams - # ====== - - # - Skype for Business Online und Microsoft Teams - # - - # - TCP 80,443 - # - - # - Example: - # - - # - standard_ms_skype_teams_tcp_ports="80,443" - # - standard_ms_skype_teams_udp6_ports="3478,3479,3480,3481" - # - standard_ms_skype_teams_udp6_hosts=" - # - 2a01:30:0:13:5054:ff:fe9f:422f/64 - # - 2a01:4f8:231:19a7::2/52 - # - " - # - - # - Set to default values: - # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" - # - ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" - # - ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" - # - - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" - ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" - ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" - marker: "# Marker set by modify-ipt-gateway.yml (ms teams service)" - when: - - main_ipv6_exists.stat.exists - - ms_skype_teams_ipv6_present is changed - - # --- # jitsi video conference service # --- @@ -1101,142 +251,6 @@ - jitsi_service_ipv6_present is changed -# --- -# webex video conference service -# --- - -- name: Check if String 'webex_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^webex_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf - register: webex_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "webex_service_ipv4_present.rc > 1" - changed_when: "webex_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (webex service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*bigbluebutton_udp_ports' - block: | - - # ====== - # - Webex Meeting - # ====== - - # - Webex Meeting (Videokonferenz) - # - - # - TCP 80/443: Outbound Client Zugriffsport und Webes Events (Audiostreaming) - # - - # - UDP 9000: Outbound (VoIP and RTP) - # - - # - --- - # - - # - TCP 5004: Fall-back ports for media connectivity when UDP port 9000 - # - is not open in the firewall - # - - webex_tcp_ports="$standard_webex_tcp_ports" - webex_udp_ports="$standard_webex_udp_ports" - - webex_tcp_fall_back_ports="$standard_webex_tcp_fall_back_ports" - marker: "# Marker set by modify-ipt-gateway.yml (webex service)" - when: - - main_ipv4_exists.stat.exists - - webex_service_ipv4_present is changed - -- name: Check if String 'webex_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^webex_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf - register: webex_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "webex_service_ipv6_present.rc > 1" - changed_when: "webex_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (webex service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*bigbluebutton_udp_ports' - block: | - - # ====== - # - Webex Meeting - # ====== - - # - Webex Meeting (Videokonferenz) - # - - # - TCP 80/443: Outbound Client Zugriffsport und Webes Events (Audiostreaming) - # - - # - UDP 9000: Outbound (VoIP and RTP) - # - - # - --- - # - - # - TCP 5004: Fall-back ports for media connectivity when UDP port 9000 - # - is not open in the firewall - # - - webex_tcp_ports="$standard_webex_tcp_ports" - webex_udp_ports="$standard_webex_udp_ports" - - webex_tcp_fall_back_ports="$standard_webex_tcp_fall_back_ports" - marker: "# Marker set by modify-ipt-gateway.yml (webex service)" - when: - - main_ipv6_exists.stat.exists - - webex_service_ipv6_present is changed - - -# --- -# alfaview video conference service -# --- - -- name: Check if String 'alfaview_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^alfaview_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf - register: alfaview_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "alfaview_service_ipv4_present.rc > 1" - changed_when: "alfaview_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (alfaview service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - alfaview - Video Conferencing Systems - # ====== - - # - alfaview Service Ports - # - - alfaview_tcp_ports="$standard_alfaview_service_tcp_ports" - alfaview_udp_ports="$standard_alfaview_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (alfaview service)" - when: - - main_ipv4_exists.stat.exists - - alfaview_service_ipv4_present is changed - -- name: Check if String 'alfaview_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^alfaview_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf - register: alfaview_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "alfaview_service_ipv6_present.rc > 1" - changed_when: "alfaview_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (alfaview service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - alfaview - Video Conferencing Systems - # ====== - - # - alfaview Service Ports - # - - alfaview_tcp_ports="$standard_alfaview_service_tcp_ports" - alfaview_udp_ports="$standard_alfaview_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (alfaview service)" - when: - - main_ipv6_exists.stat.exists - - alfaview_service_ipv6_present is changed - - # --- # TURN Server (Stun Server) (for Nextcloud 'talk' app) # --- @@ -1309,127 +323,6 @@ - main_ipv6_exists.stat.exists - nc_turn_service_ipv6_present is changed -# --- -# BigBlueButton video conference service -# --- - -- name: Check if String 'bigbluebutton_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^bigbluebutton_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf - register: bigbluebutton_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "bigbluebutton_service_ipv4_present.rc > 1" - changed_when: "bigbluebutton_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (bigbluebutton service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - BigBlueButton Video Conference Service - # ====== - - # - BigBlueButton Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_bigbluebutton_video_conference_service=false - - # - BigBlueButton Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams - # - - bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports" - bigbluebutton_udp_ports="$standard_bigbluebutton_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (bigbluebutton service)" - when: - - main_ipv4_exists.stat.exists - - bigbluebutton_service_ipv4_present is changed - -- name: Check if String 'bigbluebutton_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^bigbluebutton_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf - register: bigbluebutton_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "bigbluebutton_service_ipv6_present.rc > 1" - changed_when: "bigbluebutton_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (bigbluebutton service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - BigBlueButton Video Conference Service - # ====== - - # - BigBlueButton Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_bigbluebutton_video_conference_service=false - - # - BigBlueButton Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams - # - - bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports" - bigbluebutton_udp_ports="$standard_bigbluebutton_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (bigbluebutton service)" - when: - - main_ipv6_exists.stat.exists - - bigbluebutton_service_ipv6_present is changed - - -# --- -# Allow Outbound Streamin / Echo360 Video Streaming -# --- - -- name: Check if String 'allow_outbound_streaming..' (IPv4) is present - shell: grep -q -E "^allow_outbound_streaming=" /etc/ipt-firewall/main_ipv4.conf - register: allow_outbound_streaming_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "allow_outbound_streaming_ipv4_present.rc > 1" - changed_when: "allow_outbound_streaming_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_outbound_streaming) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*allow_mumble_request_out' - block: | - allow_outbound_streaming=true - allow_echo360_video_streaming=true - marker: "# Marker set by modify-ipt-gateway.yml (allow_outbound_streaming)" - when: - - main_ipv4_exists.stat.exists - - allow_outbound_streaming_ipv4_present is changed - -- name: Check if String 'allow_outbound_streaming..' (IPv6) is present - shell: grep -q -E "^allow_outbound_streaming=" /etc/ipt-firewall/main_ipv6.conf - register: allow_outbound_streaming_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "allow_outbound_streaming_ipv6_present.rc > 1" - changed_when: "allow_outbound_streaming_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_outbound_streaming) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*allow_mumble_request_out' - block: | - allow_outbound_streaming=true - allow_echo360_video_streaming=true - marker: "# Marker set by modify-ipt-gateway.yml (allow_outbound_streaming)" - when: - - main_ipv6_exists.stat.exists - - allow_outbound_streaming_ipv6_present is changed - # --- # Remove Marker set by blockinfile