From: Matt Birkholz Date: Wed, 14 Jan 2026 17:52:31 +0000 (-0700) Subject: Put ALL firewall rules in /etc/ufw/before.rules. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=85529f69d9baf6d01e6df9870ad1a7c20b3613d6;p=Network.git Put ALL firewall rules in /etc/ufw/before.rules. --- diff --git a/README.org b/README.org index 8f83da9..7dfdfc4 100644 --- a/README.org +++ b/README.org @@ -1814,8 +1814,8 @@ be masquerading as their access point(s). #+NAME: iot-forward #+CAPTION: ~iot-forward~ #+BEGIN_SRC conf --A ufw-user-forward -i lan -o wild -j ACCEPT --A ufw-user-forward -i wg0 -o wild -j ACCEPT +-A ufw-before-forward -i lan -o wild -j ACCEPT +-A ufw-before-forward -i wg0 -o wild -j ACCEPT #+END_SRC The ~lan~ interface encompasses the private LAN and the public VPN. @@ -1823,32 +1823,23 @@ The second rule includes the campus VPN. ** Configure UFW for IoT -The following tasks install the additional rules in =before.rules= -and =user.rules= (as in [[file:Institute/README.org::*Configure UFW][Configure UFW]]). +The following task installs the additional rules in =before.rules= (as +in [[file:Institute/README.org::*Configure UFW][Configure UFW]]). #+CAPTION: [[file:roles_t/abbey-gate/tasks/main.yml][=roles_t/abbey-gate/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/abbey-gate/tasks/main.yml :noweb no-export :mkdirp yes --- -- name: Configure UFW NAT rules for IoT. +- name: Configure UFW rules for IoT. become: yes blockinfile: block: | *nat <> COMMIT - dest: /etc/ufw/before.rules - marker: "# {mark} ABBEY MANAGED BLOCK" - insertafter: EOF - prepend_newline: yes - -- name: Configure UFW FORWARD rules for IoT. - become: yes - blockinfile: - block: | *filter <> COMMIT - dest: /etc/ufw/user.rules + dest: /etc/ufw/before.rules marker: "# {mark} ABBEY MANAGED BLOCK" insertafter: EOF prepend_newline: yes diff --git a/roles_t/abbey-gate/tasks/main.yml b/roles_t/abbey-gate/tasks/main.yml index d045e74..8de5f6e 100644 --- a/roles_t/abbey-gate/tasks/main.yml +++ b/roles_t/abbey-gate/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Configure UFW NAT rules for IoT. +- name: Configure UFW rules for IoT. become: yes blockinfile: block: | @@ -7,20 +7,11 @@ -A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE COMMIT - dest: /etc/ufw/before.rules - marker: "# {mark} ABBEY MANAGED BLOCK" - insertafter: EOF - prepend_newline: yes - -- name: Configure UFW FORWARD rules for IoT. - become: yes - blockinfile: - block: | *filter - -A ufw-user-forward -i lan -o wild -j ACCEPT - -A ufw-user-forward -i wg0 -o wild -j ACCEPT + -A ufw-before-forward -i lan -o wild -j ACCEPT + -A ufw-before-forward -i wg0 -o wild -j ACCEPT COMMIT - dest: /etc/ufw/user.rules + dest: /etc/ufw/before.rules marker: "# {mark} ABBEY MANAGED BLOCK" insertafter: EOF prepend_newline: yes