09f78d2f6c
* Insert should have type int. * Add insert_relative_to option. * Add changelog. * Add tests. * Improve comment.
80 lines
1.4 KiB
YAML
80 lines
1.4 KiB
YAML
---
|
|
- name: Enable
|
|
ufw:
|
|
state: enabled
|
|
register: enable
|
|
|
|
# ## CREATE RULES ############################
|
|
- name: ipv4
|
|
ufw:
|
|
rule: deny
|
|
port: 22
|
|
to_ip: 0.0.0.0
|
|
- name: ipv4
|
|
ufw:
|
|
rule: deny
|
|
port: 23
|
|
to_ip: 0.0.0.0
|
|
|
|
- name: ipv6
|
|
ufw:
|
|
rule: deny
|
|
port: 122
|
|
to_ip: "::"
|
|
- name: ipv6
|
|
ufw:
|
|
rule: deny
|
|
port: 123
|
|
to_ip: "::"
|
|
|
|
- name: first-ipv4
|
|
ufw:
|
|
rule: deny
|
|
port: 10
|
|
to_ip: 0.0.0.0
|
|
insert: 0
|
|
insert_relative_to: first-ipv4
|
|
- name: last-ipv4
|
|
ufw:
|
|
rule: deny
|
|
port: 11
|
|
to_ip: 0.0.0.0
|
|
insert: 0
|
|
insert_relative_to: last-ipv4
|
|
|
|
- name: first-ipv6
|
|
ufw:
|
|
rule: deny
|
|
port: 110
|
|
to_ip: "::"
|
|
insert: 0
|
|
insert_relative_to: first-ipv6
|
|
- name: last-ipv6
|
|
ufw:
|
|
rule: deny
|
|
port: 111
|
|
to_ip: "::"
|
|
insert: 0
|
|
insert_relative_to: last-ipv6
|
|
|
|
# ## CHECK RESULT ############################
|
|
- name: Get rules
|
|
shell: |
|
|
ufw status | grep DENY | cut -f 1-2 -d ' ' | grep -E "^(0\.0\.0\.0|::) [123]+"
|
|
# Note that there was also a rule "ff02::fb mDNS" on at least one CI run;
|
|
# to ignore these, the extra filtering (grepping for DENY and the regex) makes
|
|
# sure to remove all rules not added here.
|
|
register: ufw_status
|
|
- assert:
|
|
that:
|
|
- ufw_status.stdout_lines == expected_stdout
|
|
vars:
|
|
expected_stdout:
|
|
- "0.0.0.0 10"
|
|
- "0.0.0.0 22"
|
|
- "0.0.0.0 11"
|
|
- "0.0.0.0 23"
|
|
- ":: 110"
|
|
- ":: 122"
|
|
- ":: 111"
|
|
- ":: 123"
|