From a0208e6e781f610caf11eee0aa6a2c67c439a67e Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 2 Feb 2022 23:02:16 +0100 Subject: [PATCH] Add support for 'Microsoft Teams' on gateway firewalls. --- roles/modify-ipt-gateway-ro/tasks/main.yml | 139 +++++++++++++++++++- roles/modify-ipt-gateway/tasks/main.yml | 140 ++++++++++++++++++++- 2 files changed, 275 insertions(+), 4 deletions(-) diff --git a/roles/modify-ipt-gateway-ro/tasks/main.yml b/roles/modify-ipt-gateway-ro/tasks/main.yml index 55584c5..b215605 100644 --- a/roles/modify-ipt-gateway-ro/tasks/main.yml +++ b/roles/modify-ipt-gateway-ro/tasks/main.yml @@ -91,6 +91,47 @@ - main_ipv6_exists.stat.exists +# --- +# allow_ms_skype_teams_out +# --- + +- name: Check if String 'allow_ms_skype_teams_out..' (IPv4) is present + shell: grep -q -E "^allow_ms_skype_teams_out=" /ro/etc/ipt-firewall/main_ipv4.conf + register: ms_skype_teams_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ms_skype_teams_out_ipv4_present.rc > 1" + changed_when: "ms_skype_teams_out_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (ms teams) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_ms_skype_teams_out' + line: 'allow_ms_skype_teams_out=true' + insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' + when: + - main_ipv4_exists.stat.exists + - ms_skype_teams_out_ipv4_present is changed + +- name: Check if String 'allow_ms_skype_teams_out..' (IPv6) is present + shell: grep -q -E "^allow_ms_skype_teams_out=" /ro/etc/ipt-firewall/main_ipv6.conf + register: ms_skype_teams_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "ms_skype_teams_out_ipv6_present.rc > 1" + changed_when: "ms_skype_teams_out_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (ms teams) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_ms_skype_teams_out' + line: 'allow_ms_skype_teams_out=true' + insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' + when: + - main_ipv6_exists.stat.exists + - ms_skype_teams_out_ipv6_present is changed + + # --- # allow_jitsi_video_conference_out # --- @@ -142,7 +183,7 @@ failed_when: "nc_talk_out_ipv4_present.rc > 1" changed_when: "nc_talk_out_ipv4_present.rc > 0" -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi) +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (nc_talk) lineinfile: dest: /ro/etc/ipt-firewall/main_ipv4.conf state: present @@ -160,7 +201,7 @@ failed_when: "nc_talk_out_ipv6_present.rc > 1" changed_when: "nc_talk_out_ipv6_present.rc > 0" -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi) +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (nc_talk) lineinfile: dest: /ro/etc/ipt-firewall/main_ipv6.conf state: present @@ -714,6 +755,100 @@ - epson_scanner_ips_ipv6_present is changed +# --- +# Skype for Business Online und Microsoft Teams +# --- + +- name: Check if String 'ms_skype_teams_tcp_ports=..' (IPv4) is present + shell: grep -q -E "^ms_skype_teams_tcp_ports=" /ro/etc/ipt-firewall/main_ipv4.conf + register: ms_skype_teams_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ms_skype_teams_ipv4_present.rc > 1" + changed_when: "ms_skype_teams_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (ms teams service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*bigbluebutton_udp_ports' + block: | + + # ====== + # - Skype for Business Online und Microsoft Teams + # ====== + + # - Skype for Business Online und Microsoft Teams + # - + # - TCP 80,443 + # - + # - UDP 3478,3479,3480,3481 --> 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 + # - + # - Example: + # - + # - standard_ms_skype_teams_tcp_ports="80,443" + # - standard_ms_skype_teams_udp4_ports="3478,3479,3480,3481" + # - standard_ms_skype_teams_udp4_hosts=" + # - 13.107.64.0/18 + # - 52.112.0.0/14 + # - 52.120.0.0/14 + # - " + # - + # - Set to default values: + # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" + # - ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports" + # - ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts" + # - + ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" + ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports" + ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts" + marker: "# Marker set by modify-ipt-gateway.yml (ms teams service)" + when: + - main_ipv4_exists.stat.exists + - ms_skype_teams_ipv4_present is changed + +- name: Check if String 'ms_skype_teams_tcp_ports=..' (IPv6) is present + shell: grep -q -E "^ms_skype_teams_tcp_ports=" /ro/etc/ipt-firewall/main_ipv6.conf + register: ms_skype_teams_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "ms_skype_teams_ipv6_present.rc > 1" + changed_when: "ms_skype_teams_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (ms teams service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*bigbluebutton_udp_ports' + block: | + + # ====== + # - Skype for Business Online und Microsoft Teams + # ====== + + # - Skype for Business Online und Microsoft Teams + # - + # - TCP 80,443 + # - + # - Example: + # - + # - standard_ms_skype_teams_tcp_ports="80,443" + # - standard_ms_skype_teams_udp6_ports="3478,3479,3480,3481" + # - standard_ms_skype_teams_udp6_hosts=" + # - 2a01:30:0:13:5054:ff:fe9f:422f/64 + # - 2a01:4f8:231:19a7::2/52 + # - " + # - + # - Set to default values: + # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" + # - ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" + # - ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" + # - + ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" + ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" + ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" + marker: "# Marker set by modify-ipt-gateway.yml (ms teams service)" + when: + - main_ipv6_exists.stat.exists + - ms_skype_teams_ipv6_present is changed + + # --- # jitsi video conference service # --- diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml index bbe2c2a..fa92ad7 100644 --- a/roles/modify-ipt-gateway/tasks/main.yml +++ b/roles/modify-ipt-gateway/tasks/main.yml @@ -108,6 +108,48 @@ notify: - Restart IPv6 Firewall +# --- +# allow_ms_skype_teams_out +# --- + +- name: Check if String 'allow_ms_skype_teams_out..' (IPv4) is present + shell: grep -q -E "^allow_ms_skype_teams_out=" /etc/ipt-firewall/main_ipv4.conf + register: ms_skype_teams_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ms_skype_teams_out_ipv4_present.rc > 1" + changed_when: "ms_skype_teams_out_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ms teams) + lineinfile: + dest: /etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_ms_skype_teams_out' + line: 'allow_ms_skype_teams_out=true' + insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' + when: + - main_ipv4_exists.stat.exists + - ms_skype_teams_out_ipv4_present is changed + +- name: Check if String 'allow_ms_skype_teams_out..' (IPv6) is present + shell: grep -q -E "^allow_ms_skype_teams_out=" /etc/ipt-firewall/main_ipv6.conf + register: ms_skype_teams_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "ms_skype_teams_out_ipv6_present.rc > 1" + changed_when: "ms_skype_teams_out_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ms teams) + lineinfile: + dest: /etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_ms_skype_teams_out' + line: 'allow_ms_skype_teams_out=true' + insertafter: '^#?\s*allow_bigbluebutton_video_conference_out' + when: + - main_ipv6_exists.stat.exists + - ms_skype_teams_out_ipv6_present is changed + notify: + - Restart IPv6 Firewall + # --- # allow_jitsi_video_conference_out # --- @@ -161,7 +203,7 @@ failed_when: "nc_talk_out_ipv4_present.rc > 1" changed_when: "nc_talk_out_ipv4_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi) +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc_talk) lineinfile: dest: /etc/ipt-firewall/main_ipv4.conf state: present @@ -179,7 +221,7 @@ failed_when: "nc_talk_out_ipv6_present.rc > 1" changed_when: "nc_talk_out_ipv6_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi) +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (nc_talk) lineinfile: dest: /etc/ipt-firewall/main_ipv6.conf state: present @@ -773,6 +815,100 @@ - epson_scanner_ips_ipv6_present is changed +# --- +# Skype for Business Online und Microsoft Teams +# --- + +- name: Check if String 'ms_skype_teams_tcp_ports=..' (IPv4) is present + shell: grep -q -E "^ms_skype_teams_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf + register: ms_skype_teams_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ms_skype_teams_ipv4_present.rc > 1" + changed_when: "ms_skype_teams_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ms teams service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*bigbluebutton_udp_ports' + block: | + + # ====== + # - Skype for Business Online und Microsoft Teams + # ====== + + # - Skype for Business Online und Microsoft Teams + # - + # - TCP 80,443 + # - + # - UDP 3478,3479,3480,3481 --> 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 + # - + # - Example: + # - + # - standard_ms_skype_teams_tcp_ports="80,443" + # - standard_ms_skype_teams_udp4_ports="3478,3479,3480,3481" + # - standard_ms_skype_teams_udp4_hosts=" + # - 13.107.64.0/18 + # - 52.112.0.0/14 + # - 52.120.0.0/14 + # - " + # - + # - Set to default values: + # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" + # - ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports" + # - ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts" + # - + ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" + ms_skype_teams_udp4_ports="$standard_ms_skype_teams_udp4_ports" + ms_skype_teams_udp4_hosts="$standard_ms_skype_teams_udp4_hosts" + marker: "# Marker set by modify-ipt-gateway.yml (ms teams service)" + when: + - main_ipv4_exists.stat.exists + - ms_skype_teams_ipv4_present is changed + +- name: Check if String 'ms_skype_teams_tcp_ports=..' (IPv6) is present + shell: grep -q -E "^ms_skype_teams_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf + register: ms_skype_teams_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "ms_skype_teams_ipv6_present.rc > 1" + changed_when: "ms_skype_teams_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ms teams service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*bigbluebutton_udp_ports' + block: | + + # ====== + # - Skype for Business Online und Microsoft Teams + # ====== + + # - Skype for Business Online und Microsoft Teams + # - + # - TCP 80,443 + # - + # - Example: + # - + # - standard_ms_skype_teams_tcp_ports="80,443" + # - standard_ms_skype_teams_udp6_ports="3478,3479,3480,3481" + # - standard_ms_skype_teams_udp6_hosts=" + # - 2a01:30:0:13:5054:ff:fe9f:422f/64 + # - 2a01:4f8:231:19a7::2/52 + # - " + # - + # - Set to default values: + # - ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" + # - ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" + # - ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" + # - + ms_skype_teams_tcp_ports="$standard_ms_skype_teams_tcp_ports" + ms_skype_teams_udp6_ports="$standard_ms_skype_teams_udp6_ports" + ms_skype_teams_udp6_hosts="$standard_ms_skype_teams_udp6_hosts" + marker: "# Marker set by modify-ipt-gateway.yml (ms teams service)" + when: + - main_ipv6_exists.stat.exists + - ms_skype_teams_ipv6_present is changed + + # --- # jitsi video conference service # ---