From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Wed, 8 Feb 2023 00:40:09 -0800 Subject: fork https://github.com/mattsta/mailweb --- .../files/modprobe.d/blacklist-iptables.conf | 13 +++++++++++++ ansible/roles/disableFirewall/tasks/main.yml | 22 ++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf create mode 100644 ansible/roles/disableFirewall/tasks/main.yml (limited to 'ansible/roles/disableFirewall') diff --git a/ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf b/ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf new file mode 100644 index 0000000..4655374 --- /dev/null +++ b/ansible/roles/disableFirewall/files/modprobe.d/blacklist-iptables.conf @@ -0,0 +1,13 @@ +# Don't load iptables on startup (or ever)! + +# These look weird, but the 'blacklist' command still allows +# module insertion. +# +# This method defines a load-time alias so when you load the module, +# it runs a delegated command to load the module instead, but in +# the case of denying modules completely, just run nothing. +install ip6table_filter /bin/true +install iptable_filter /bin/true +install ip6_tables /bin/true +install ip_tables /bin/true +install x_tables /bin/true diff --git a/ansible/roles/disableFirewall/tasks/main.yml b/ansible/roles/disableFirewall/tasks/main.yml new file mode 100644 index 0000000..9454702 --- /dev/null +++ b/ansible/roles/disableFirewall/tasks/main.yml @@ -0,0 +1,22 @@ +--- +# Our mail systems only listen to SMTP(S) and IMAP(S) +# so we can disable all firewalls +# This stops ufw, then uninstalls ufw and iptables (and ip6tables) +- name: remove firewall + apt: + name: iptables + state: absent + register: firewallKaboom + +# removing iptables doesn't actually stop iptables processing, +# so let's force remove all packet processing from the kernel itself here +# TODO: this conditional could be better. would be nice if we had a fact +# of loaded kernel modules to query the presence/absence of +- name: unload firewall + command: modprobe -r ip6table_filter iptable_filter ip6_tables ip_tables x_tables + when: firewallKaboom.changed + +- name: disable iptables from reappearing in the future + copy: + src: modprobe.d/ + dest: /etc/modprobe.d/ -- cgit v1.2.3