Make ufw incoming ssh connection ip-ranges configurable;

e4c70e59 · Gallenkamp, Fabian · f9e86b69 · e4c70e59 · e4c70e59
Commit e4c70e59 authored 5 years ago by Gallenkamp, Fabian
--- a/configure_ufw.yml
+++ b/configure_ufw.yml
@@ -3,43 +3,32 @@
  become: true
  hosts: all
  tasks:
-    # setup ufw ssh rules
+    # setup ufw ssh exception/limiting rules
-    - name: allow ssh access from uni-hamburg ip range
+    - name: allow ssh access from specified ip ranges
      ufw:
        rule: allow
        app: OpenSSH
-        from_ip: 134.100.0.0/16
+        from_ip: "{{ item }}"
+      with_items: "{{ ufw_ssh_allowed_from }}"
-    - name: allow ssh access from internal ip range a)
-      ufw:
-        rule: allow
-        app: OpenSSH
-        from_ip: 192.168.0.0/16
-    - name: allow ssh access from internal ip range b)
-      ufw:
-        rule: allow
-        app: OpenSSH
-        from_ip: 172.16.0.0/12
    - name: rate limiting ssh access
      ufw:
        rule: limit
        app: OpenSSH
-    # setup nginx web server rule
+    # setup nginx web server exception rule
    - name: allow access of nginx webserver from everywhere
      ufw:
        rule: allow
        name: Nginx Full
-    # set default rules
+    # set default deny rules
    - name: deny any other incoming traffic by default
      ufw:
        state: enabled
        default: deny
        direction: incoming
+    # set default allow rule for outgoing, FIXME: do it more granulary (only http/https)
    - name: allow any outgoing traffic by default
      ufw:
        state: enabled

--- a/group_vars/otree_servers.yml.example
+++ b/group_vars/otree_servers.yml.example
@@ -53,3 +53,6 @@ otree_users:
 ssl_certificate_path: "/etc/ssl/certs/{{ otree_domain }}.crt"
 ssl_certificate_key_path: "/etc/ssl/private/{{ otree_domain }}.key"
+ufw_ssh_allowed_from:
+  - "192.168.0.0/16"
+  - "172.16.0.0/12"