diff options
author | clarkzjw <[email protected]> | 2023-02-08 00:40:09 -0800 |
---|---|---|
committer | clarkzjw <[email protected]> | 2023-02-08 00:40:09 -0800 |
commit | 1204730924436ef9e1c7c49c9557837f9a5ed0e8 (patch) | |
tree | 129d79dfd11245751cee6d4082ff5d2f6e941610 /ansible/roles/disableFirewall | |
parent | 9635ac4dedf69de5bff65785bcc16bef80b52d75 (diff) | |
download | mail-1204730924436ef9e1c7c49c9557837f9a5ed0e8.tar.gz |
Diffstat (limited to 'ansible/roles/disableFirewall')
-rw-r--r-- | ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf | 13 | ||||
-rw-r--r-- | ansible/roles/disableFirewall/tasks/main.yml | 22 |
2 files changed, 35 insertions, 0 deletions
diff --git a/ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf b/ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf new file mode 100644 index 0000000..4655374 --- /dev/null +++ b/ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf | |||
@@ -0,0 +1,13 @@ | |||
1 | # Don't load iptables on startup (or ever)! | ||
2 | |||
3 | # These look weird, but the 'blacklist' command still allows | ||
4 | # module insertion. | ||
5 | # | ||
6 | # This method defines a load-time alias so when you load the module, | ||
7 | # it runs a delegated command to load the module instead, but in | ||
8 | # the case of denying modules completely, just run nothing. | ||
9 | install ip6table_filter /bin/true | ||
10 | install iptable_filter /bin/true | ||
11 | install ip6_tables /bin/true | ||
12 | install ip_tables /bin/true | ||
13 | install x_tables /bin/true | ||
diff --git a/ansible/roles/disableFirewall/tasks/main.yml b/ansible/roles/disableFirewall/tasks/main.yml new file mode 100644 index 0000000..9454702 --- /dev/null +++ b/ansible/roles/disableFirewall/tasks/main.yml | |||
@@ -0,0 +1,22 @@ | |||
1 | --- | ||
2 | # Our mail systems only listen to SMTP(S) and IMAP(S) | ||
3 | # so we can disable all firewalls | ||
4 | # This stops ufw, then uninstalls ufw and iptables (and ip6tables) | ||
5 | - name: remove firewall | ||
6 | apt: | ||
7 | name: iptables | ||
8 | state: absent | ||
9 | register: firewallKaboom | ||
10 | |||
11 | # removing iptables doesn't actually stop iptables processing, | ||
12 | # so let's force remove all packet processing from the kernel itself here | ||
13 | # TODO: this conditional could be better. would be nice if we had a fact | ||
14 | # of loaded kernel modules to query the presence/absence of | ||
15 | - name: unload firewall | ||
16 | command: modprobe -r ip6table_filter iptable_filter ip6_tables ip_tables x_tables | ||
17 | when: firewallKaboom.changed | ||
18 | |||
19 | - name: disable iptables from reappearing in the future | ||
20 | copy: | ||
21 | src: modprobe.d/ | ||
22 | dest: /etc/modprobe.d/ | ||