92 lines
2.4 KiB
YAML
92 lines
2.4 KiB
YAML
---
|
|
- name: FIREWALL | UFW auf Standardeinstellungen zurücksetzen
|
|
community.general.ufw:
|
|
state: reset
|
|
|
|
- name: FIREWALL | Standardmäßig allen ausgehenden Traffic erlauben
|
|
community.general.ufw:
|
|
direction: outgoing
|
|
policy: allow
|
|
|
|
- name: FIREWALL | Standardmäßig allen eingehenden Traffic blockieren
|
|
community.general.ufw:
|
|
direction: incoming
|
|
policy: deny
|
|
|
|
- name: FIREWALL | Eingehenden SSH-Traffic auf öffentlichem Interface erlauben
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ ssh_port }}"
|
|
proto: tcp
|
|
interface: "{{ public_interface }}"
|
|
direction: in
|
|
|
|
- name: FIREWALL | Eingehenden SSH-Traffic auf privatem Interface erlauben
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ ssh_port }}"
|
|
proto: tcp
|
|
interface: "{{ private_interface }}"
|
|
direction: in
|
|
|
|
- name: FIREWALL | Eingehenden HTTP/HTTPS-Traffic auf öffentlichem Interface erlauben
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.port }}"
|
|
proto: "{{ item.proto }}"
|
|
interface: "{{ public_interface }}"
|
|
direction: in
|
|
with_items:
|
|
- { port: '80', proto: 'tcp' }
|
|
- { port: '443', proto: 'tcp' }
|
|
|
|
- name: FIREWALL | Ceph Monitor Ports auf privatem Interface erlauben
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item }}"
|
|
proto: tcp
|
|
interface: "{{ private_interface }}"
|
|
direction: in
|
|
with_items:
|
|
- '3300'
|
|
- '6789'
|
|
|
|
- name: FIREWALL | Ceph OSD/MGR Port-Range auf öffentlichem Interface erlauben
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "6800:7568"
|
|
proto: tcp
|
|
interface: "{{ private_interface }}"
|
|
direction: in
|
|
|
|
- name: FIREWALL | Ceph Prometheus Exporter auf privatem Interface erlauben
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "9283"
|
|
proto: tcp
|
|
interface: "{{ private_interface }}"
|
|
direction: in
|
|
|
|
- name: FIREWALL | Docker Swarm Management Ports auf privatem Interface erlauben
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "2377"
|
|
proto: tcp
|
|
interface: "{{ private_interface }}"
|
|
direction: in
|
|
|
|
- name: FIREWALL | Docker Swarm Discovery/Network Ports auf privatem Interface erlauben
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.port }}"
|
|
proto: "{{ item.proto }}"
|
|
interface: "{{ private_interface }}"
|
|
direction: in
|
|
with_items:
|
|
- { port: '7946', proto: 'tcp' }
|
|
- { port: '7946', proto: 'udp' }
|
|
- { port: '4789', proto: 'udp' }
|
|
|
|
- name: FIREWALL | UFW aktivieren
|
|
community.general.ufw:
|
|
state: enabled |