Add firewall setup

roles/common/defaults/main.yml

@@ -18,6 +18,13 @@ with_rkhunter: False
 with_chkrootkit: False
 with_hideproc: False
 
+with_firewall: False
+firewall_opened_ports:
+  - ssh
+  - http
+  - https
+  - smtp
+
 with_smartd: False
 
 with_postfix: False

roles/common/handlers/firewall.yml

@@ -0,0 +1,2 @@
+- name: Apply firewall rules (ferm)
+  service: name=ferm state=reloaded

roles/common/handlers/main.yml

@@ -1,4 +1,5 @@
 - include: base.yml
+- include: firewall.yml
 - include: security.yml
 - include: smtp.yml
 - include: ssh.yml

roles/common/tasks/firewall.yml

@@ -0,0 +1,11 @@
+- name: Install firewall package (ferm)
+  apt: pkg={{ item }} state=installed update_cache=yes
+  with_items:
+    - ferm
+  when: with_firewall
+
+- name: Install firewall configuration (ferm.conf)
+  template: src=ferm/ferm.conf.j2 dest=/etc/ferm/ferm.conf owner=root group=root mode=0644
+  notify:
+    - Apply firewall rules (ferm)
+  when: with_firewall

roles/common/tasks/main.yml

@@ -1,4 +1,5 @@
 - include: base.yml
+- include: firewall.yml
 - include: ovh.yml
 - include: security.yml
 - include: smtp.yml

roles/common/templates/ferm/ferm.conf.j2

@@ -0,0 +1,84 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+#
+#  Configuration file for ferm(1).
+#
+
+@def $PORTS = (
+{%- if firewall_opened_ports -%}
+{% for port in firewall_opened_ports %}{{ port }} {% endfor %}
+{%- endif -%}
+{%- if ssh_port is defined -%}{{ ssh_port }} {%- endif -%}
+{%- if ssh_ports_extra is defined -%}
+{% for port in ssh_ports_extra %}{{ port }} {% endfor %}
+{%- endif -%}
+); # Services running
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local packages
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+
+        # standard ports we allow from the outside
+        proto tcp dport $PORTS ACCEPT;
+    }
+
+    chain OUTPUT {
+        policy ACCEPT;
+
+        # connection tracking
+        #mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+    }
+
+    chain FORWARD {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+    }
+}
+
+domain ip6 table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow ICMP (for neighbor solicitation, like ARP for IPv4)
+        proto ipv6-icmp ACCEPT;
+
+        # standard ports we allow from the outside
+        proto tcp dport $PORTS ACCEPT;
+    }
+
+    chain OUTPUT {
+        policy ACCEPT;
+
+        # connection tracking
+        #mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+    }
+
+    chain FORWARD {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+    }
+}