Ansible firewall configuration



The firewall in ansible for securedrop-club uses a single security group and opens everything it needs for every possible (icinga, bind, postfix etc.) when the VMs are created. This is bad design and I propose it is refactored with a firewall role that can be used by a playbook to open specific ports. For instance the bind playbook would be:

  • name: configure firewall
    hosts: localhost
    connection: local
    gather_facts: False


    • role: firewall
      os_security_group_udp: [ 53 ]
  • name: setup DNS server
    hosts: [ ‘bind_group’ ]
    become: True


    • role: bertvv.bind

The benefit is that the firewall is configured by the playbook that needs it.

I also propose that we have two security groups securedrop-club for ports open to other VMs in the same tenant (with remote_group: securedrop-club) and securedrop-club-external for ports open to the net (with remote_ip_prefix: