Add geerlingguy.firewall with only web and ssh ports open (!16) · Merge requests · Coopdevs / Som Connexió / OpenCell / opencell-provisioning

Administrator requested to merge add_firewall into master Jul 01, 2019

We want to enforce only 2 entrances to our application: via web, or via authenticated ssh

WARNING This role installs an init script (or systemd unit) that runs after booting. The script/unit calls a [bash script] (https://github.com/geerlingguy/ansible-role-firewall/blob/master/templates/firewall.bash.j2) that flushes all iptables rules and installs the configured ones. This behavior is dangerous when Docker is present, as docker needs some iptables rules. However, this runs before docker, and as such, docker daemon just adds its rules on top of the role's ones.

This can become an issue when provisioning or executing the firewall bash script or unit/init. A simple docker restart should be enough, at most, a reboot.

I'm not a fan of this role, but it's working alreadly in opencell-stage.coopdevs.org . The reboot worked cool.

Edited Jul 01, 2019 by Administrator

Add geerlingguy.firewall with only web and ssh ports open

Merge request reports