From 85529f69d9baf6d01e6df9870ad1a7c20b3613d6 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Wed, 14 Jan 2026 10:52:31 -0700 Subject: [PATCH] Put ALL firewall rules in /etc/ufw/before.rules. --- README.org | 21 ++++++--------------- roles_t/abbey-gate/tasks/main.yml | 17 ++++------------- 2 files changed, 10 insertions(+), 28 deletions(-) diff --git a/README.org b/README.org index 8f83da9..7dfdfc4 100644 --- a/README.org +++ b/README.org @@ -1814,8 +1814,8 @@ be masquerading as their access point(s). #+NAME: iot-forward #+CAPTION: ~iot-forward~ #+BEGIN_SRC conf --A ufw-user-forward -i lan -o wild -j ACCEPT --A ufw-user-forward -i wg0 -o wild -j ACCEPT +-A ufw-before-forward -i lan -o wild -j ACCEPT +-A ufw-before-forward -i wg0 -o wild -j ACCEPT #+END_SRC The ~lan~ interface encompasses the private LAN and the public VPN. @@ -1823,32 +1823,23 @@ The second rule includes the campus VPN. ** Configure UFW for IoT -The following tasks install the additional rules in =before.rules= -and =user.rules= (as in [[file:Institute/README.org::*Configure UFW][Configure UFW]]). +The following task installs the additional rules in =before.rules= (as +in [[file:Institute/README.org::*Configure UFW][Configure UFW]]). #+CAPTION: [[file:roles_t/abbey-gate/tasks/main.yml][=roles_t/abbey-gate/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/abbey-gate/tasks/main.yml :noweb no-export :mkdirp yes --- -- name: Configure UFW NAT rules for IoT. +- name: Configure UFW rules for IoT. become: yes blockinfile: block: | *nat <> COMMIT - dest: /etc/ufw/before.rules - marker: "# {mark} ABBEY MANAGED BLOCK" - insertafter: EOF - prepend_newline: yes - -- name: Configure UFW FORWARD rules for IoT. - become: yes - blockinfile: - block: | *filter <> COMMIT - dest: /etc/ufw/user.rules + dest: /etc/ufw/before.rules marker: "# {mark} ABBEY MANAGED BLOCK" insertafter: EOF prepend_newline: yes diff --git a/roles_t/abbey-gate/tasks/main.yml b/roles_t/abbey-gate/tasks/main.yml index d045e74..8de5f6e 100644 --- a/roles_t/abbey-gate/tasks/main.yml +++ b/roles_t/abbey-gate/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Configure UFW NAT rules for IoT. +- name: Configure UFW rules for IoT. become: yes blockinfile: block: | @@ -7,20 +7,11 @@ -A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE COMMIT - dest: /etc/ufw/before.rules - marker: "# {mark} ABBEY MANAGED BLOCK" - insertafter: EOF - prepend_newline: yes - -- name: Configure UFW FORWARD rules for IoT. - become: yes - blockinfile: - block: | *filter - -A ufw-user-forward -i lan -o wild -j ACCEPT - -A ufw-user-forward -i wg0 -o wild -j ACCEPT + -A ufw-before-forward -i lan -o wild -j ACCEPT + -A ufw-before-forward -i wg0 -o wild -j ACCEPT COMMIT - dest: /etc/ufw/user.rules + dest: /etc/ufw/before.rules marker: "# {mark} ABBEY MANAGED BLOCK" insertafter: EOF prepend_newline: yes -- 2.47.3