From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001
From: clarkzjw <i@jinwei.me>
Date: Wed, 8 Feb 2023 00:40:09 -0800
Subject: fork https://github.com/mattsta/mailweb

---
 ansible/roles/disableFirewall/tasks/main.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 ansible/roles/disableFirewall/tasks/main.yml

(limited to 'ansible/roles/disableFirewall/tasks/main.yml')

diff --git a/ansible/roles/disableFirewall/tasks/main.yml b/ansible/roles/disableFirewall/tasks/main.yml
new file mode 100644
index 0000000..9454702
--- /dev/null
+++ b/ansible/roles/disableFirewall/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+# Our mail systems only listen to SMTP(S) and IMAP(S)
+# so we can disable all firewalls
+# This stops ufw, then uninstalls ufw and iptables (and ip6tables)
+- name: remove firewall
+  apt:
+    name: iptables
+    state: absent
+  register: firewallKaboom
+
+# removing iptables doesn't actually stop iptables processing,
+# so let's force remove all packet processing from the kernel itself here
+# TODO: this conditional could be better. would be nice if we had a fact
+#       of loaded kernel modules to query the presence/absence of
+- name: unload firewall
+  command: modprobe -r ip6table_filter iptable_filter ip6_tables ip_tables x_tables
+  when: firewallKaboom.changed
+
+- name: disable iptables from reappearing in the future
+  copy:
+    src: modprobe.d/
+    dest: /etc/modprobe.d/
-- 
cgit v1.2.3