From 976f497d780cec571e40f411804463326f978c53 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 24 Jan 2023 18:54:48 +0100 Subject: [PATCH] update.. --- group_vars/all/main.yml | 1 + host_vars/ga-nh-gw.oopen.de.yml.BAK | 210 ------------------------- host_vars/gw-ah.oopen.de.yml | 2 +- host_vars/gw-ebs.oopen.de.yml | 57 ++++++- host_vars/gw-elster.oopen.de.yml | 5 +- host_vars/o25.oopen.de.yml.BAK | 123 --------------- hosts | 101 ------------ roles/modify-ipt-server/tasks/main.yml | 179 +++++++++++++++++++++ 8 files changed, 239 insertions(+), 439 deletions(-) delete mode 100644 host_vars/ga-nh-gw.oopen.de.yml.BAK delete mode 100644 host_vars/o25.oopen.de.yml.BAK diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index e81f1f4..d1e0dbc 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -828,6 +828,7 @@ apt_webserver_pkgs: - expect - expect-dev - libexpect-perl + - poppler-utils apt_install_postgresql_pkgs: false apt_postgresql_pkgs: diff --git a/host_vars/ga-nh-gw.oopen.de.yml.BAK b/host_vars/ga-nh-gw.oopen.de.yml.BAK deleted file mode 100644 index 7e872f7..0000000 --- a/host_vars/ga-nh-gw.oopen.de.yml.BAK +++ /dev/null @@ -1,210 +0,0 @@ ---- -# --- -# vars used by roles/network_interfaces -# --- - - -# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted -network_manage_devices: True - -# Should the interfaces be reloaded after config change? -network_interface_reload: False - -network_interface_path: /etc/network/interfaces.d -network_interface_required_packages: - - vlan - - bridge-utils - - ifmetric - - ifupdown - - ifenslave - - resolvconf - -network_interfaces: - - - device: eno1 - headline: eno1 - holds uplink WiDSL Antenna (ppp line widsl) - auto: true - family: inet - method: static - address: 10.12.136.254 - netmask: 24 - - - - device: dsl-widsl - headline: dsl-widsl - ppp line widsl - auto: true - family: inet - method: ppp - provider: dsl-widsl - pre-up: - - /sbin/ifconfig eno1 up - - - - device: eno2 - headline: eno2 - uplink Telekom (static line via digitbox) - auto: true - family: inet - method: static - address: 172.16.81.1 - netmask: 24 - gateway: 172.16.81.254 - nameservers: - - 192.168.81.1 - - 192.168.11.1 - search: ga.netz - - - - device: eno5 - headline: eno5 - LAN - auto: true - family: inet - method: static - address: 192.168.81.254 - netmask: 24 - - - - device: eno5:ns - headline: eno5:ns - Alias on eno5 (Nameserver) - auto: true - family: inet - method: static - address: 192.168.81.1 - netmask: 32 - - -# --- -# vars used by roles/ansible_dependencies -# --- - - -# --- -# vars used by roles/ansible_user -# --- - - -# --- -# vars used by roles/common/tasks/basic.yml -# --- - - -# --- -# vars used by roles/common/tasks/sshd.yml -# --- - - -# --- -# vars used by roles/common/tasks/apt.yml -# --- - - -# --- -# vars used by roles/common/tasks/users.yml -# --- - -insert_ssh_keypair_backup_server: false -ssh_keypair_backup_server: - - name: backup - backup_user: back - priv_key_src: root/.ssh/id_rsa.backup.oopen.de - priv_key_dest: /root/.ssh/id_rsa - pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub - pub_key_dest: /root/.ssh/id_rsa.pub - -insert_keypair_backup_client: true -ssh_keypair_backup_client: - - name: backup - priv_key_src: root/.ssh/id_ed25519.oopen-server - priv_key_dest: /root/.ssh/id_ed25519 - pub_key_src: root/.ssh/id_ed25519.oopen-server.pub - pub_key_dest: /root/.ssh/id_ed25519.pub - target: backup.oopen.de - -default_user: - - - name: chris - password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - - name: wadmin - password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - - - name: sysadm - user_id: 1050 - group_id: 1050 - group: sysadm - password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - - - name: back - user_id: 1060 - group_id: 1060 - group: back - password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - -sudo_users: - - chris - - sysadm - - wadmin - - -# --- -# vars used by roles/common/tasks/users-systemfiles.yml -# --- - - -# --- -# vars used by roles/common/tasks/webadmin-user.yml -# --- - - -# --- -# vars used by roles/common/tasks/sudoers.yml -# --- -# -# see: roles/common/tasks/vars - - -# --- -# vars used by roles/common/tasks/caching-nameserver.yml -# --- - - -# --- -# vars used by roles/common/tasks/git.yml -# --- - -git_firewall_repository: - name: ipt-gateway - repo: https://git.oopen.de/firewall/ipt-gateway - dest: /usr/local/src/ipt-gateway - -# ============================== - - -# --- -# vars used by scripts/reset_root_passwd.yml -# --- - -root_user: - name: root - password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. - diff --git a/host_vars/gw-ah.oopen.de.yml b/host_vars/gw-ah.oopen.de.yml index d86ae12..ec21fc2 100644 --- a/host_vars/gw-ah.oopen.de.yml +++ b/host_vars/gw-ah.oopen.de.yml @@ -131,7 +131,7 @@ bind9_gateway_acl: - internaldns: name: internaldns entries: - - '# Nameserver Kanzlei EBS' + - '// Nameserver Kanzlei EBS' - 192.168.182.1 bind9_gateway_listen_on_v6: diff --git a/host_vars/gw-ebs.oopen.de.yml b/host_vars/gw-ebs.oopen.de.yml index f2d433c..0e80d80 100644 --- a/host_vars/gw-ebs.oopen.de.yml +++ b/host_vars/gw-ebs.oopen.de.yml @@ -1,5 +1,58 @@ --- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + - resolvconf + +network_interfaces: + + - device: eno1 + headline: eno1 - Uplink DSL via Fritz!Box + auto: true + family: inet + method: static + address: 172.16.182.1 + netmask: 24 + gateway: 172.16.182.254 + nameservers: + - 127.0.0.1 + - 192.168.182.1 + search: ebs.netz kanzlei-kiel.netz elster.netz + + + - device: eno2 + headline: eno2 - LAN + auto: true + family: inet + method: static + address: 192.168.182.254 + netmask: 24 + + + - device: eno2:ns + headline: eno2:ns - Alias on eno2 (Nameserver) + auto: true + family: inet + method: static + address: 192.168.182.1 + netmask: 32 + # --- # vars used by roles/ansible_dependencies # --- @@ -129,9 +182,9 @@ bind9_gateway_acl: - internaldns: name: internaldns entries: - - '# Nameserver Kanzlei Kiel' + - '// Nameserver Kanzlei Kiel' - 192.168.100.1 - - '# Nameserver Kanzlei Elster' + - '// Nameserver Kanzlei Elster' - 192.168.202.1 bind9_gateway_listen_on_v6: diff --git a/host_vars/gw-elster.oopen.de.yml b/host_vars/gw-elster.oopen.de.yml index 0b90447..4c6de69 100644 --- a/host_vars/gw-elster.oopen.de.yml +++ b/host_vars/gw-elster.oopen.de.yml @@ -1,4 +1,5 @@ --- + # --- # vars used by roles/network_interfaces # --- @@ -32,7 +33,7 @@ network_interfaces: nameservers: - 127.0.0.1 - 192.168.202.1 - search: elster.netz + search: elster.netz ebs.netz - device: eno2 @@ -234,7 +235,7 @@ bind9_gateway_acl: - internaldns: name: internaldns entries: - - '# Nameserver Kanzlei EBS' + - '// Nameserver Kanzlei EBS' - 192.168.182.1 bind9_gateway_listen_on_v6: diff --git a/host_vars/o25.oopen.de.yml.BAK b/host_vars/o25.oopen.de.yml.BAK deleted file mode 100644 index b24f006..0000000 --- a/host_vars/o25.oopen.de.yml.BAK +++ /dev/null @@ -1,123 +0,0 @@ ---- - -# --- -# vars used by roles/network_interfaces -# --- - - -# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted -network_manage_devices: True - -# Should the interfaces be reloaded after config change? -network_interface_reload: False - -network_interface_path: /etc/network/interfaces.d -network_interface_required_packages: - - vlan - - bridge-utils - - ifmetric - - ifupdown - - resolvconf - - -network_interfaces: - - - device: br0 - # use only once per device (for the first device entry) - headline: br0 - bridge over device enp8s0 - - # auto & allow are only used for the first device entry - allow: [] # array of allow-[stanzas] eg. allow-hotplug - auto: true - - family: inet - method: static - hwaddress: 00:d8:61:0e:b9:1c - description: - address: 144.76.24.11 - netmask: 27 - gateway: 144.76.24.1 - metric: - pointopoint: - mtu: - scope: - - # additional user by dhcp method - # - hostname: - leasehours: - leasetime: - vendor: - client: - - # additional used by bootp method - # - bootfile: - server: - hwaddr: - - # optional dns settings nameservers: [] - # - # nameservers: - # - 194.150.168.168 # dns.as250.net - # - 91.239.100.100 # anycast.censurfridns.dk - # search: warenform.de - # - nameservers: - - 195.201.179.131 - - 95.217.204.204 - search: - - # optional additional subnets/ips subnets: [] - # subnets: - # - '192.168.123.0/24' - # - '192.168.124.11/32' - - # optional bridge parameters bridge: {} - # bridge: - # ports: - # stp: - # fd: - # maxwait: - # waitport: - bridge: - ports: enp8s0 # for mor devices support a blank separated list - stp: !!str off - fd: 5 - hello: 2 - maxage: 12 - - # optional bonding parameters bond: {} - # bond: - # master - # primary - # slave - # method: - # miimon: - # lacp-rate: - # ad-select-rate: - # master: - # slaves: - bond: {} - - # optional vlan settings | vlan: {} - # vlan: {} - # raw-device: 'eth0' - vlan: {} - - # inline hook scripts - pre-up: [] # pre-up script lines - up: [] # up script lines - post-up: [] # post-up script lines (alias for up) - pre-down: [] # pre-down script lines (alias for down) - down: [] # down script lines - post-down: [] # post-down script lines - - - - - device: br0 - family: inet6 - method: static - address: 2a01:4f8:191:b::2 - netmask: 64 - gateway: fe80::1 diff --git a/hosts b/hosts index d739d28..075133e 100644 --- a/hosts +++ b/hosts @@ -19,9 +19,6 @@ dns1.warenform.de [extra_hosts] backup.oopen.de -gitea.so36.net -backup.so36.net - devel-root.wf.netz gw-123.oopen.de @@ -69,11 +66,8 @@ ga-st-kvm5.ga.netz ga-al-kvm2.ga.netz ga-al-kvm3.ga.netz -server16.warenform.de -helden.warenform.de server18.warenform.de piwik.warenform.de -server20.warenform.de server22.warenform.de server23.warenform.de server24.warenform.de @@ -81,9 +75,6 @@ server25.warenform.de server26.warenform.de server27.warenform.de -# server20.warenform.de -cloud-giz.warenform.de - #server22.warenform.de nd.warenform.de nd-archiv.warenform.de @@ -161,7 +152,6 @@ o25.oopen.de # - o27.oopen.de o27.oopen.de cl-fm.oopen.de -cl-fm-neu.oopen.de mail.faire-mobilitaet.de # Hetzner Cloud CX31 - AK @@ -184,9 +174,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -# Jitsi Meet - AG Beratung -o34.oopen.de - o35.oopen.de b.ns.oopen.de cl-02.oopen.de @@ -214,18 +201,10 @@ lxc-host-kb.anw-kb.netz # - Warenform Server # --- -# server16 -server16.warenform.de -helden.warenform.de - # server18 server18.warenform.de piwik.warenform.de -# server20 -server20.warenform.de -cloud-giz.warenform.de - # server22 server22.warenform.de nd.warenform.de @@ -325,7 +304,6 @@ o25.oopen.de # - o27.oopen.de o27.oopen.de cl-fm.oopen.de -cl-fm-neu.oopen.de mail.faire-mobilitaet.de # Hetzner Cloud CX31 - AK @@ -352,9 +330,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -# Jitsi Meet - AG Beratung -o34.oopen.de - # - o35.oopen.de o35.oopen.de b.ns.oopen.de @@ -477,14 +452,6 @@ devel-todo.wf.netz devel-wiki.wf.netz -# --- -# so36.NET -# --- - -gitea.so36.net -backup.so36.net - - [apache2_webserver] # --- @@ -528,7 +495,6 @@ cl-irights.oopen.de # o27.oopen.de cl-fm.oopen.de -cl-fm-neu.oopen.de mail.faire-mobilitaet.de # Backup Faire Mobilitaet @@ -567,15 +533,9 @@ ga-al-ws1.ga.netz # Warenform server # --- -# server16 -helden.warenform.de - # server18 piwik.warenform.de -# server20 -cloud-giz.warenform.de - # server22 nd.warenform.de nd-archiv.warenform.de @@ -683,9 +643,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -# Jitsi Meet - AG Beratung -o34.oopen.de - # o35.oopen.de cl-02.oopen.de @@ -888,7 +845,6 @@ o26.oopen.de # o27.oopen.de cl-fm.oopen.de -cl-fm-neu.oopen.de # Backup Faire Mobilitaet o28.oopen.de @@ -920,15 +876,9 @@ cl-test.oopen.de # Warenform # --- -# server16.warenform.de -helden.warenform.de - # server18.warenform.de piwik.warenform.de -# server20.warenform.de -cloud-giz.warenform.de - # server22.warenform.de nd.warenform.de nd-archiv.warenform.de @@ -996,10 +946,6 @@ cl-test.oopen.de # Warenform # --- -# server20.warenform.de -cloud-giz.warenform.de - - [dns_server] # --- @@ -1061,15 +1007,9 @@ ga-st-mail.ga.netz # Warenform # --- -server16.warenform.de -helden.warenform.de - server18.warenform.de piwik.warenform.de -# server20.warenform.de -cloud-giz.warenform.de - server22.warenform.de nd-live.warenform.de nd-epaper.warenform.de @@ -1171,9 +1111,6 @@ server28.warenform.de # o30.oopen.de - AK Server Nextcloud/Jitsi Meet meet.akweb.de -# Jitsi Meet - AG Beratung -o34.oopen.de - [kvm_host] @@ -1225,9 +1162,7 @@ ga-st-lxc1.ga.netz # Warenform # --- -server16.warenform.de server18.warenform.de -server20.warenform.de server22.warenform.de server23.warenform.de server24.warenform.de @@ -1293,7 +1228,6 @@ mm-irights.oopen.de # - o27.oopen.de cl-fm.oopen.de -cl-fm-neu.oopen.de mail.faire-mobilitaet.de # Hetzner Cloud CX31 - AK @@ -1315,9 +1249,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -# Jitsi Meet - AG Beratung -o34.oopen.de - # o35.oopen.de cl-02.oopen.de e.mx.oopen.de @@ -1354,15 +1285,9 @@ ga-st-mail.ga.netz # Warenform Server # --- -# server16 -helden.warenform.de - # server18 piwik.warenform.de -# server20 -cloud-giz.warenform.de - # server22 nd.warenform.de nd-archiv.warenform.de @@ -1413,13 +1338,6 @@ devel-todo.wf.netz devel-wiki.wf.netz -# --- -# so36.NET -# --- - -gitea.so36.net - - # All oopen server (except office networks) [oopen_server] @@ -1480,7 +1398,6 @@ o25.oopen.de # - o27.oopen.de o27.oopen.de cl-fm.oopen.de -cl-fm-neu.oopen.de mail.faire-mobilitaet.de # Hetzner Cloud CX31 - AK @@ -1507,9 +1424,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -# Jitsi Meet - AG Beratung -o34.oopen.de - # - o35.oopen.de o35.oopen.de cl-02.oopen.de @@ -1531,13 +1445,6 @@ cl-test.oopen.de lxc-host-kb.anw-kb.netz -# --- -# so36.NET -# --- - -gitea.so36.net - - [oopen_office] bbb.b3-bornim.netz @@ -1596,18 +1503,10 @@ gateway_server_rw [warenform_server] -# server16 -server16.warenform.de -helden.warenform.de - # server18 server18.warenform.de piwik.warenform.de -# server20 -server20.warenform.de -cloud-giz.warenform.de - # server22 server22.warenform.de nd.warenform.de diff --git a/roles/modify-ipt-server/tasks/main.yml b/roles/modify-ipt-server/tasks/main.yml index af363c0..caa7e93 100644 --- a/roles/modify-ipt-server/tasks/main.yml +++ b/roles/modify-ipt-server/tasks/main.yml @@ -274,6 +274,185 @@ - Restart IPv6 Firewall +# --- +# Mattermost (MM) Service +# --- + +- name: Check if String 'mm_server_ips=..' is present + shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv4.conf + register: mattermost_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mattermost_service_ipv4_present.rc > 1" + changed_when: "mattermost_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mattermost_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*http_ports' + block: | + + # - Mattermost (MM) Service + # - + mm_server_ips="" + forward_mm_server_ips="" + + # - UDP Ports IN and OUT used by MM Servive + # - + mm_udp_ports_in="$stansard_mattermost_udp_ports_in" + mm_udp_ports_out="$stansard_mattermost_udp_ports_out" + + marker: "# Marker set by modify-ipt-server.yml (mattermost_service)" + when: + - main_ipv4_exists.stat.exists + - mattermost_service_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + +- name: Check if String 'mm_server_ips=..' is present + shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv6.conf + register: mattermost_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "mattermost_service_ipv6_present.rc > 1" + changed_when: "mattermost_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mattermost_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*http_ports' + block: | + + # - Mattermost (MM) Service + # - + mm_server_ips="" + forward_mm_server_ips="" + + # - UDP Ports IN and OUT used by MM Servive + # - + mm_udp_ports_in="$stansard_mattermost_udp_ports_in" + mm_udp_ports_out="$stansard_mattermost_udp_ports_out" + + marker: "# Marker set by modify-ipt-server.yml (mattermost_service)" + when: + - main_ipv6_exists.stat.exists + - mattermost_service_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + + +# --- +# Protection against and Limit Connections settings +# --- + +- name: Check if String 'protection_against_syn_flooding=..' is present + shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv4.conf + register: protect_settings_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "protect_settings_ipv4_present.rc > 1" + changed_when: "protect_settings_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (protect_settings) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*create_iperf_rules' + block: | + + # ------------- + # - Protection against ... + # ------------- + + # - Protection against syn-flooding + # - + protection_against_syn_flooding=true + + # - Protection against port scanning + # - + protection_against_port_scanning=true + + # - Protection against SSH brute-force attacks + # - + protection_against_ssh_brute_force_attacks=true + + + # ------------- + # - Limit Connections + # ------------- + + # - Limit connections per source IP + # - + limit_connections_per_source_IP=true + + # - Limit RST packets + # - + limit_rst_packets=true + + # - Limit new TCP connections per second per source IP + # - + limit_new_tcp_connections_per_seconds_per_source_IP=true + + marker: "# Marker set by modify-ipt-server.yml (protect_settings)" + when: + - main_ipv4_exists.stat.exists + - protect_settings_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + +- name: Check if String 'protection_against_syn_flooding=..' is present + shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv6.conf + register: protect_settings_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "protect_settings_ipv6_present.rc > 1" + changed_when: "protect_settings_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (protect_settings) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*create_iperf_rules' + block: | + + # ------------- + # - Protection against ... + # ------------- + + # - Protection against syn-flooding + # - + protection_against_syn_flooding=true + + # - Protection against port scanning + # - + protection_against_port_scanning=true + + # - Protection against SSH brute-force attacks + # - + protection_against_ssh_brute_force_attacks=true + + + # ------------- + # - Limit Connections + # ------------- + + # - Limit connections per source IP + # - + limit_connections_per_source_IP=true + + # - Limit RST packets + # - + limit_rst_packets=true + + # - Limit new TCP connections per second per source IP + # - + limit_new_tcp_connections_per_seconds_per_source_IP=true + + marker: "# Marker set by modify-ipt-server.yml (protect_settings)" + when: + - main_ipv6_exists.stat.exists + - protect_settings_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + # === # Remove Marker set by blockinfile # ===