diff --git a/ansible/idr-firewall.yml b/ansible/idr-firewall.yml index 4e0a9fd1..ff4f064d 100644 --- a/ansible/idr-firewall.yml +++ b/ansible/idr-firewall.yml @@ -11,15 +11,14 @@ state: enabled permanent: true rich_rule: - - 'rule family="ipv4" forward accept' - - 'rule family="ipv4" source address="0.0.0.0/0" accept' - - 'rule family="ipv4" destination address="0.0.0.0/0" accept' + - "rule family='ipv4' forward accept" + - "rule family='ipv4' source address='0.0.0.0/0' accept" + - "rule family='ipv4' destination address='0.0.0.0/0' accept" # Docker sets up its own rules, don't overwrite # - hosts: > # {{ idr_environment | default('idr') }}-management-hosts - - hosts: "{{ idr_environment | default('idr') }}-proxy-hosts" @@ -37,25 +36,25 @@ state: enabled permanent: true rich_rule: - # For INPUT (Incoming Traffic) - - 'rule family="ipv4" state established accept' - - 'rule family="ipv4" state related accept' + - # For INPUT (Incoming Traffic) + - "rule family='ipv4' state established accept" + - "rule family='ipv4' state related accept" # For OUTPUT (Outgoing Traffic) - - 'rule family="ipv4" direction="out" state established accept' - - 'rule family="ipv4" direction="out" state related accept' + - "rule family='ipv4' direction='out' state established accept" + - "rule family="ipv4" direction='out' state related accept" # allows all incoming traffic on the loopback interface (lo) - - 'rule family="ipv4" source address="127.0.0.0/8" accept' + - "rule family='ipv4' source address='127.0.0.0/8' accept" # rule to allow TCP and udp traffic from 10.0.0.0/8 and 192.168.0.0/16 range - - 'rule family="ipv4" source address="10.0.0.0/8" protocol value="tcp" accept' - - 'rule family="ipv4" source address="10.0.0.0/8" protocol value="udp" accept' - - 'rule family="ipv4" source address="192.168.0.0/16" protocol value="tcp" accept' - - 'rule family="ipv4" source address="192.168.0.0/16" protocol value="udp" accept' + - "rule family='ipv4' source address='10.0.0.0/8' protocol value='tcp' accept" + - "rule family='ipv4' source address='10.0.0.0/8' protocol value='udp' accept" + - "rule family='ipv4' source address='192.168.0.0/16' protocol value='tcp' accept" + - "rule family='ipv4' source address='192.168.0.0/16' protocol value='udp' accept" # allow ICMP Echo Request (ping) - - 'rule family="ipv4" protocol value="icmp" icmp-type echo-request accept' + - "rule family='ipv4' protocol value='icmp' icmp-type echo-request accept" # allow TCP traffic on port 22 (SSH) - - 'rule family="ipv4" protocol value="tcp" destination port="22" accept' + - "rule family='ipv4' protocol value='tcp' destination port='22' accept" # allow TCP traffic on idr_external_tcp_ports - - 'rule family="ipv4" protocol value="tcp" destination port={{ idr_external_tcp_ports | join(',' ) }} accept' + - "rule family='ipv4' protocol value='tcp' destination port={{ idr_external_tcp_ports | join(',' ) }} accept" # Use a low priority REJECT rule so that clients can detect when # they've been rejected @@ -69,11 +68,9 @@ state: enabled permanent: true rich_rule: - - 'rule family="ipv4" forward reject' - - 'rule family="ipv4" source address="0.0.0.0/0" reject' - - 'rule family="ipv4" destination address="0.0.0.0/0" accept' - - + - "rule family='ipv4' forward reject" + - "rule family='ipv4' source address='0.0.0.0/0' reject" + - "rule family='ipv4' destination address='0.0.0.0/0' accept" vars: idr_external_tcp_ports: