Put ALL firewall rules in /etc/ufw/before.rules.

diff --git a/README.org b/README.org
index 8f83da9c89adaed70cf80a9408ec03ed5b82c7fc..7dfdfc44787ac4d8fb4e9389042a5ba01d26707a 100644 (file)
--- a/README.org
+++ b/README.org
@@ -1814,8 +1814,8 @@ be masquerading as their access point(s).
 #+NAME: iot-forward
 #+CAPTION: ~iot-forward~
 #+BEGIN_SRC conf
--A ufw-user-forward -i lan -o wild -j ACCEPT
--A ufw-user-forward -i wg0 -o wild -j ACCEPT
+-A ufw-before-forward -i lan -o wild -j ACCEPT
+-A ufw-before-forward -i wg0 -o wild -j ACCEPT
 #+END_SRC
 
 The ~lan~ interface encompasses the private LAN and the public VPN.
@@ -1823,32 +1823,23 @@ The second rule includes the campus VPN.
 
 ** Configure UFW for IoT
 
-The following tasks install the additional rules in =before.rules=
-and =user.rules= (as in [[file:Institute/README.org::*Configure UFW][Configure UFW]]).
+The following task installs the additional rules in =before.rules= (as
+in [[file:Institute/README.org::*Configure UFW][Configure UFW]]).
 
 #+CAPTION: [[file:roles_t/abbey-gate/tasks/main.yml][=roles_t/abbey-gate/tasks/main.yml=]]
 #+BEGIN_SRC conf :tangle roles_t/abbey-gate/tasks/main.yml :noweb no-export :mkdirp yes
 ---
-- name: Configure UFW NAT rules for IoT.
+- name: Configure UFW rules for IoT.
   become: yes
   blockinfile:
     block: |
       *nat
       <<iot-nat>>
       COMMIT
-    dest: /etc/ufw/before.rules
-    marker: "# {mark} ABBEY MANAGED BLOCK"
-    insertafter: EOF
-    prepend_newline: yes
-
-- name: Configure UFW FORWARD rules for IoT.
-  become: yes
-  blockinfile:
-    block: |
       *filter
       <<iot-forward>>
       COMMIT
-    dest: /etc/ufw/user.rules
+    dest: /etc/ufw/before.rules
     marker: "# {mark} ABBEY MANAGED BLOCK"
     insertafter: EOF
     prepend_newline: yes

diff --git a/roles_t/abbey-gate/tasks/main.yml b/roles_t/abbey-gate/tasks/main.yml
index d045e740dc37f8e7f892d65e88e1d4c2e1cfa042..8de5f6e96399a87bb1aaef56a65458e36356e337 100644 (file)
--- a/roles_t/abbey-gate/tasks/main.yml
+++ b/roles_t/abbey-gate/tasks/main.yml
@@ -1,5 +1,5 @@
 ---
-- name: Configure UFW NAT rules for IoT.
+- name: Configure UFW rules for IoT.
   become: yes
   blockinfile:
     block: |
@@ -7,20 +7,11 @@
       -A POSTROUTING -s {{   private_net_cidr }} -o wild -j MASQUERADE
       -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
       COMMIT
-    dest: /etc/ufw/before.rules
-    marker: "# {mark} ABBEY MANAGED BLOCK"
-    insertafter: EOF
-    prepend_newline: yes
-
-- name: Configure UFW FORWARD rules for IoT.
-  become: yes
-  blockinfile:
-    block: |
       *filter
-      -A ufw-user-forward -i lan -o wild -j ACCEPT
-      -A ufw-user-forward -i wg0 -o wild -j ACCEPT
+      -A ufw-before-forward -i lan -o wild -j ACCEPT
+      -A ufw-before-forward -i wg0 -o wild -j ACCEPT
       COMMIT
-    dest: /etc/ufw/user.rules
+    dest: /etc/ufw/before.rules
     marker: "# {mark} ABBEY MANAGED BLOCK"
     insertafter: EOF
     prepend_newline: yes