From e4c70e59c95f8d41ef8533cfb0792ae3bf01f6fb Mon Sep 17 00:00:00 2001
From: bax1489 <fabian.gallenkamp@uni-hamburg.de>
Date: Thu, 29 Aug 2019 14:40:44 +0200
Subject: [PATCH] Make ufw incoming ssh connection ip-ranges configurable;

---
 configure_ufw.yml                    | 25 +++++++------------------
 group_vars/otree_servers.yml.example |  3 +++
 2 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/configure_ufw.yml b/configure_ufw.yml
index 2d00d2f..f74ede5 100644
--- a/configure_ufw.yml
+++ b/configure_ufw.yml
@@ -3,43 +3,32 @@
   become: true
   hosts: all
   tasks:
-    # setup ufw ssh rules
-    - name: allow ssh access from uni-hamburg ip range
+    # setup ufw ssh exception/limiting rules
+    - name: allow ssh access from specified ip ranges
       ufw:
         rule: allow
         app: OpenSSH
-        from_ip: 134.100.0.0/16
-
-    - name: allow ssh access from internal ip range a)
-      ufw:
-        rule: allow
-        app: OpenSSH
-        from_ip: 192.168.0.0/16
-
-    - name: allow ssh access from internal ip range b)
-      ufw:
-        rule: allow
-        app: OpenSSH
-        from_ip: 172.16.0.0/12
+        from_ip: "{{ item }}"
+      with_items: "{{ ufw_ssh_allowed_from }}"
 
     - name: rate limiting ssh access
       ufw:
         rule: limit
         app: OpenSSH
 
-    # setup nginx web server rule
+    # setup nginx web server exception rule
     - name: allow access of nginx webserver from everywhere
       ufw:
         rule: allow
         name: Nginx Full
 
-    # set default rules
+    # set default deny rules
     - name: deny any other incoming traffic by default
       ufw:
         state: enabled
         default: deny
         direction: incoming
-
+    # set default allow rule for outgoing, FIXME: do it more granulary (only http/https)
     - name: allow any outgoing traffic by default
       ufw:
         state: enabled
diff --git a/group_vars/otree_servers.yml.example b/group_vars/otree_servers.yml.example
index 225b0ca..be821da 100644
--- a/group_vars/otree_servers.yml.example
+++ b/group_vars/otree_servers.yml.example
@@ -53,3 +53,6 @@ otree_users:
 ssl_certificate_path: "/etc/ssl/certs/{{ otree_domain }}.crt"
 ssl_certificate_key_path: "/etc/ssl/private/{{ otree_domain }}.key"
 
+ufw_ssh_allowed_from:
+  - "192.168.0.0/16"
+  - "172.16.0.0/12"
-- 
GitLab