Skip to content

Commit

Permalink
fix syntax error
Browse files Browse the repository at this point in the history
  • Loading branch information
@khaledk2
khaledk2 committed Dec 8, 2024
1 parent a2ffc3a commit 3a2fca9
Showing 1 changed file with 19 additions and 22 deletions.
41 changes: 19 additions & 22 deletions ansible/idr-firewall.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,14 @@
state: enabled
permanent: true
rich_rule:
- 'rule family="ipv4" forward accept'
- 'rule family="ipv4" source address="0.0.0.0/0" accept'
- 'rule family="ipv4" destination address="0.0.0.0/0" accept'
- "rule family='ipv4' forward accept"
- "rule family='ipv4' source address='0.0.0.0/0' accept"
- "rule family='ipv4' destination address='0.0.0.0/0' accept"

# Docker sets up its own rules, don't overwrite
# - hosts: >
# {{ idr_environment | default('idr') }}-management-hosts


- hosts: "{{ idr_environment | default('idr') }}-proxy-hosts"


Expand All @@ -37,25 +36,25 @@
state: enabled
permanent: true
rich_rule:
# For INPUT (Incoming Traffic)
- 'rule family="ipv4" state established accept'
- 'rule family="ipv4" state related accept'
- # For INPUT (Incoming Traffic)
- "rule family='ipv4' state established accept"
- "rule family='ipv4' state related accept"
# For OUTPUT (Outgoing Traffic)
- 'rule family="ipv4" direction="out" state established accept'
- 'rule family="ipv4" direction="out" state related accept'
- "rule family='ipv4' direction='out' state established accept"
- "rule family="ipv4" direction='out' state related accept"
# allows all incoming traffic on the loopback interface (lo)
- 'rule family="ipv4" source address="127.0.0.0/8" accept'
- "rule family='ipv4' source address='127.0.0.0/8' accept"
# rule to allow TCP and udp traffic from 10.0.0.0/8 and 192.168.0.0/16 range
- 'rule family="ipv4" source address="10.0.0.0/8" protocol value="tcp" accept'
- 'rule family="ipv4" source address="10.0.0.0/8" protocol value="udp" accept'
- 'rule family="ipv4" source address="192.168.0.0/16" protocol value="tcp" accept'
- 'rule family="ipv4" source address="192.168.0.0/16" protocol value="udp" accept'
- "rule family='ipv4' source address='10.0.0.0/8' protocol value='tcp' accept"
- "rule family='ipv4' source address='10.0.0.0/8' protocol value='udp' accept"
- "rule family='ipv4' source address='192.168.0.0/16' protocol value='tcp' accept"
- "rule family='ipv4' source address='192.168.0.0/16' protocol value='udp' accept"
# allow ICMP Echo Request (ping)
- 'rule family="ipv4" protocol value="icmp" icmp-type echo-request accept'
- "rule family='ipv4' protocol value='icmp' icmp-type echo-request accept"
# allow TCP traffic on port 22 (SSH)
- 'rule family="ipv4" protocol value="tcp" destination port="22" accept'
- "rule family='ipv4' protocol value='tcp' destination port='22' accept"
# allow TCP traffic on idr_external_tcp_ports
- 'rule family="ipv4" protocol value="tcp" destination port={{ idr_external_tcp_ports | join(',' ) }} accept'
- "rule family='ipv4' protocol value='tcp' destination port={{ idr_external_tcp_ports | join(',' ) }} accept"

# Use a low priority REJECT rule so that clients can detect when
# they've been rejected
Expand All @@ -69,11 +68,9 @@
state: enabled
permanent: true
rich_rule:
- 'rule family="ipv4" forward reject'
- 'rule family="ipv4" source address="0.0.0.0/0" reject'
- 'rule family="ipv4" destination address="0.0.0.0/0" accept'


- "rule family='ipv4' forward reject"
- "rule family='ipv4' source address='0.0.0.0/0' reject"
- "rule family='ipv4' destination address='0.0.0.0/0' accept"

vars:
idr_external_tcp_ports:
Expand Down

0 comments on commit 3a2fca9

Please sign in to comment.