From 75e1420fd69ad3fc35bd9fdfa390dc7e9e9d96e2 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 3 Jun 2020 20:32:12 +0100 Subject: [PATCH] Install and configure firewalld --- files/zshrc/applications.sh | 4 ++++ tasks/security.yml | 42 +++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/files/zshrc/applications.sh b/files/zshrc/applications.sh index 80a0f42..bf88eac 100644 --- a/files/zshrc/applications.sh +++ b/files/zshrc/applications.sh @@ -44,3 +44,7 @@ alias cl="climate" alias tmux-cleanup="tmux list-sessions | grep -v attached | cut -d: -f1 | xargs -t -n1 tmux kill-session -t" alias lock-screen="xdotool key 'Super_L+l'" alias mux="tmuxinator start" + +alias open-port="firewall-cmd --zone=public --add-port" +alias close-port="firewall-cmd --zone=public --remove-port" +alias reset-ports="firewall-cmd --complete-reload" diff --git a/tasks/security.yml b/tasks/security.yml index 9b3ca8b..68d0c25 100644 --- a/tasks/security.yml +++ b/tasks/security.yml @@ -24,3 +24,45 @@ dest: "{{ home }}/.ssh/assh.yml" mode: 0644 owner: "{{ user }}" + +- name: Install Firewall + aur: + name: "{{ item }}" + become: true + become_user: aur_builder + when: item not in installed_packages.stdout_lines + loop: + - firewalld + +- name: Enable firewalld + systemd: + name: firewalld + enabled: true + +- name: Define firewall ports + set_fact: + requested_firewall_ports: + - 22/tcp # SSH + - 80/tcp # Web (crab) + +- name: Get firewall ports + shell: firewall-cmd --list-ports + become: true + register: firewall_ports + +- name: Open firewall ports + firewalld: + port: "{{ item }}" + permanent: true + immediate: true + state: enabled + loop: "{{ requested_firewall_ports }}" + +- name: Close firewall ports + firewalld: + port: "{{ item }}" + permanent: true + immediate: true + state: disabled + when: item not in requested_firewall_ports + loop: "{{ firewall_ports.stdout.split(' ') }}"