summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorclarkzjw <[email protected]>2023-02-08 00:40:09 -0800
committerclarkzjw <[email protected]>2023-02-08 00:40:09 -0800
commit1204730924436ef9e1c7c49c9557837f9a5ed0e8 (patch)
tree129d79dfd11245751cee6d4082ff5d2f6e941610 /ansible/roles/disableFirewall
parent9635ac4dedf69de5bff65785bcc16bef80b52d75 (diff)
downloadmail-1204730924436ef9e1c7c49c9557837f9a5ed0e8.tar.gz
fork https://github.com/mattsta/mailwebHEADmaster
Diffstat (limited to 'ansible/roles/disableFirewall')
-rw-r--r--ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf13
-rw-r--r--ansible/roles/disableFirewall/tasks/main.yml22
2 files changed, 35 insertions, 0 deletions
diff --git a/ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf b/ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf
new file mode 100644
index 0000000..4655374
--- /dev/null
+++ b/ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf
@@ -0,0 +1,13 @@
1# Don't load iptables on startup (or ever)!
2
3# These look weird, but the 'blacklist' command still allows
4# module insertion.
5#
6# This method defines a load-time alias so when you load the module,
7# it runs a delegated command to load the module instead, but in
8# the case of denying modules completely, just run nothing.
9install ip6table_filter /bin/true
10install iptable_filter /bin/true
11install ip6_tables /bin/true
12install ip_tables /bin/true
13install x_tables /bin/true
diff --git a/ansible/roles/disableFirewall/tasks/main.yml b/ansible/roles/disableFirewall/tasks/main.yml
new file mode 100644
index 0000000..9454702
--- /dev/null
+++ b/ansible/roles/disableFirewall/tasks/main.yml
@@ -0,0 +1,22 @@
1---
2# Our mail systems only listen to SMTP(S) and IMAP(S)
3# so we can disable all firewalls
4# This stops ufw, then uninstalls ufw and iptables (and ip6tables)
5- name: remove firewall
6 apt:
7 name: iptables
8 state: absent
9 register: firewallKaboom
10
11# removing iptables doesn't actually stop iptables processing,
12# so let's force remove all packet processing from the kernel itself here
13# TODO: this conditional could be better. would be nice if we had a fact
14# of loaded kernel modules to query the presence/absence of
15- name: unload firewall
16 command: modprobe -r ip6table_filter iptable_filter ip6_tables ip_tables x_tables
17 when: firewallKaboom.changed
18
19- name: disable iptables from reappearing in the future
20 copy:
21 src: modprobe.d/
22 dest: /etc/modprobe.d/
Powered by cgit v1.2.3 (git 2.41.0)