Ansible firewall configuration

DevOps
1

Bonjour,

The firewall in ansible for securedrop-club uses a single security group and opens everything it needs for every possible (icinga, bind, postfix etc.) when the VMs are created. This is bad design and I propose it is refactored with a firewall role that can be used by a playbook to open specific ports. For instance the bind playbook would be:



    

  • 

    name: configure firewall
    
hosts: localhost
    
connection: local
    
gather_facts: False
    

    roles:
    

      

    • role: firewall
      
os_security_group_udp: [ 53 ]
      • 

    

    • 

  • 

    name: setup DNS server
    
hosts: [ ‘bind_group’ ]
    
become: True
    

    roles:
    

      

    • role: bertvv.bind
      
bind_allow_query:
      • 

    

    • 



The benefit is that the firewall is configured by the playbook that needs it.


I also propose that we have two security groups securedrop-club for ports open to other VMs in the same tenant (with remote_group: securedrop-club) and securedrop-club-external for ports open to the net (with remote_ip_prefix: 0.0.0.0/0).


Cheers







1 Like