I5520 ip tables #5559
Merged
I5520 ip tables #5559
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
the order of rules matters in ufw. We add the new defaults for ssh we create a template file that can allow users to place these rules and have predictable implementation Closes #5520
we are using abid-staging2 for our firewall rules add the ssh subnets to the group_vars Co-authored-by: Vickie Karasic <[email protected]>
in order to make modifications to the firewall we need to disable it then reload the new configuration Co-authored-by: Alicia Cozine <[email protected]>
we swap out ufw to the user.rules the preferred way is to use the before and after rules
kayiwa
force-pushed
the
i5520_ip_tables
branch
from
7585e1a to
5185f50
Compare
kayiwa
force-pushed
the
i5520_ip_tables
branch
2 times, most recently
from
25e065b to
6392784
Compare
kayiwa
force-pushed
the
i5520_ip_tables
branch
from
6392784 to
f970d6c
Compare
acozine
reviewed
Dec 2, 2024
Comment on lines
+5
to
+6
| - protocol: tcp | ||
| source: 10.249.64.0/18 |
There was a problem hiding this comment.
Now that we have the functionality we want, can we add descriptive names? Something like this:
Suggested change
| - protocol: tcp | |
| source: 10.249.64.0/18 | |
| - rule: SSH from libnet | |
| protocol: tcp | |
| source: 10.249.64.0/18 |
| - service: http | ||
| action: ACCEPT | ||
| - protocol: tcp | ||
| source: 10.249.0.0/18 |
There was a problem hiding this comment.
Does this CIDR range include 10.249.64.0/18?
| @@ -15,21 +15,16 @@ the examples below allow ssh, http, and redis to those CIDR subnets. For ssh mak | |||
|
|
|||
| ```yaml | |||
| ufw_firewall_rules: | |||
There was a problem hiding this comment.
Whatever we do in the group vars about adding name/description to the rules, let's do it here too.
roles/ufw_firewall/handlers/main.yml
Outdated
| state: restarted | ||
| - name: Reload UFW | ||
| ansible.builtin.command: ufw reload | ||
| changed_when: false |
There was a problem hiding this comment.
We shouldn't need changed_when: false on the handler. The handler only runs when some other task reports a change.
Co-authored-by: Alicia Cozine <[email protected]>
|
My remaining review comments will be addressed in the next PR. This is a step forward. |
kayiwa
added a commit
that referenced
this pull request
Dec 13, 2024
we have elected to define networks in IT-Handbook added clearer examples that use this #5559 Our previous values matched a format that is no longer true Co-authored-by: Vickie Karasic <[email protected]>
kayiwa
added a commit
that referenced
this pull request
Dec 20, 2024
we have elected to define networks in IT-Handbook added clearer examples that use this #5559 Our previous values matched a format that is no longer true Co-authored-by: Vickie Karasic <[email protected]>
kayiwa
added a commit
that referenced
this pull request
Dec 20, 2024
we have elected to define networks in IT-Handbook added clearer examples that use this #5559 Our previous values matched a format that is no longer true Co-authored-by: Vickie Karasic <[email protected]>
kayiwa
added a commit
that referenced
this pull request
Dec 20, 2024
we have elected to define networks in IT-Handbook added clearer examples that use this #5559 Our previous values matched a format that is no longer true Co-authored-by: Vickie Karasic <[email protected]>
kayiwa
added a commit
that referenced
this pull request
Dec 31, 2024
we have elected to define networks in IT-Handbook added clearer examples that use this #5559 Our previous values matched a format that is no longer true Co-authored-by: Vickie Karasic <[email protected]>
kayiwa
added a commit
that referenced
this pull request
Jan 9, 2025
we have elected to define networks in IT-Handbook added clearer examples that use this #5559 Our previous values matched a format that is no longer true Co-authored-by: Vickie Karasic <[email protected]>
kayiwa
added a commit
that referenced
this pull request
Jan 9, 2025
* adding dev-friendly ufw variables for our networks Co-authored-by: Alicia Cozine <[email protected]> Co-authored-by: Francis Kayiwa <[email protected]> * adding variables to ufw readme and default files Co-authored-by: Alicia Cozine <[email protected]> Co-authored-by: Francis Kayiwa <[email protected]> * improve documentation we have elected to define networks in IT-Handbook added clearer examples that use this #5559 Our previous values matched a format that is no longer true Co-authored-by: Vickie Karasic <[email protected]> * add ability to loop over campus network * add a template that will dynamically assign networks include documentation on how to use the role --------- Co-authored-by: Alicia Cozine <[email protected]> Co-authored-by: Francis Kayiwa <[email protected]> Co-authored-by: Francis Kayiwa <[email protected]> Co-authored-by: Vickie Karasic <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
use a iptables template to set firewall rules.
the order of the in your configuration matter