summaryrefslogtreecommitdiff
path: root/ansible/roles/router
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/router')
-rw-r--r--ansible/roles/router/files/ferm.conf41
-rw-r--r--ansible/roles/router/tasks/main.yml26
2 files changed, 16 insertions, 51 deletions
diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/files/ferm.conf
index c1bd652..1867e84 100644
--- a/ansible/roles/router/files/ferm.conf
+++ b/ansible/roles/router/files/ferm.conf
@@ -13,46 +13,11 @@
@def $NET_PRIVATE = 10.0.0.0/16;
table filter {
- chain INPUT {
- policy DROP;
-
- # connection tracking
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # allow local connections
- interface lo ACCEPT;
-
- # respond to ping
- proto icmp icmp-type echo-request ACCEPT;
-
- # allow SSH connections from the private network and all
- # Internet hosts. We do not want to restrict ssh to only a
- # small number of "well known" hosts, since there's often a
- # need to connect from net cafes and customer sites.
- proto tcp dport ssh ACCEPT;
- }
-
- # outgoing connections are not limited
+ chain INPUT policy ACCEPT;
chain OUTPUT policy ACCEPT;
-
- chain FORWARD {
- policy DROP;
-
- # connection tracking
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # connections from the internal net to the internet or to other
- # internal nets are allowed
- interface $DEV_PRIVATE ACCEPT;
- }
+ chain FORWARD policy ACCEPT;
}
table nat {
- chain POSTROUTING {
- # masquerade private IP addresses
-# saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;
- MASQUERADE;
- }
+ chain POSTROUTING MASQUERADE;
}
diff --git a/ansible/roles/router/tasks/main.yml b/ansible/roles/router/tasks/main.yml
index aa0e6bc..3c95278 100644
--- a/ansible/roles/router/tasks/main.yml
+++ b/ansible/roles/router/tasks/main.yml
@@ -1,18 +1,18 @@
-# - name: install ferm
-# apt: name=ferm
+- name: install ferm
+ apt: name=ferm
-# - name: install ferm.conf
-# copy:
-# src: ferm.conf
-# dest: /etc/ferm/ferm.conf
-# owner: root
-# group: root
-# mode: 0640
+- name: install ferm.conf
+ copy:
+ src: ferm.conf
+ dest: /etc/ferm/ferm.conf
+ owner: root
+ group: root
+ mode: 0640
-# - name: restart ferm
-# service:
-# name: ferm
-# state: restarted
+- name: restart ferm
+ service:
+ name: ferm
+ state: restarted
- name: set up packet forwarding sysctl config
copy: