add vm eap-adp-jump01
with a basic playbook for configuration
This commit is contained in:
parent
0f79a64d94
commit
dbe8978987
|
@ -0,0 +1,27 @@
|
||||||
|
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
|
||||||
|
#
|
||||||
|
# See pf.conf(5) and /etc/examples/pf.conf
|
||||||
|
|
||||||
|
set skip on lo
|
||||||
|
|
||||||
|
block return # block stateless traffic
|
||||||
|
|
||||||
|
# By default, do not permit remote connections to X11
|
||||||
|
block return in on ! lo0 proto tcp to port 6000:6010
|
||||||
|
|
||||||
|
# Port build user does not need network
|
||||||
|
block return out log proto {tcp udp} user _pbuild
|
||||||
|
|
||||||
|
# allow outgoing tcp, udp and icmp
|
||||||
|
pass out proto { tcp, udp } from self to any
|
||||||
|
pass out inet proto icmp from self to any
|
||||||
|
pass out inet6 proto icmp6 from self to any
|
||||||
|
|
||||||
|
# allow incoming icmp
|
||||||
|
pass in inet proto icmp from any to self
|
||||||
|
pass in inet6 proto icmp6 from any to self
|
||||||
|
|
||||||
|
# allow incoming ssh
|
||||||
|
pass in proto tcp from any to self port ssh
|
||||||
|
|
||||||
|
include "/etc/pf.include.conf"
|
|
@ -22,3 +22,6 @@ gw-core01 ip=192.168.10.45
|
||||||
|
|
||||||
[server]
|
[server]
|
||||||
hyper01 ip=10.84.1.21
|
hyper01 ip=10.84.1.21
|
||||||
|
|
||||||
|
[vms]
|
||||||
|
eae-adp-jump01 ip=162.55.53.85 ansible_python_interpreter=/usr/local/bin/python3
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
- name: provision eap-adp-jump01
|
||||||
|
hosts: eae-adp-jump01
|
||||||
|
tasks:
|
||||||
|
- name: create /etc/pf.include.conf
|
||||||
|
file:
|
||||||
|
path: /etc/pf.include.conf
|
||||||
|
state: touch
|
||||||
|
mode: 0600
|
||||||
|
access_time: preserve
|
||||||
|
|
||||||
|
- name: basic firewall configuration
|
||||||
|
copy:
|
||||||
|
src: files/pf.conf
|
||||||
|
dest: /etc/pf.conf
|
||||||
|
validate: "/sbin/pfctl -vnf %s"
|
||||||
|
notify:
|
||||||
|
- reload firewall
|
||||||
|
|
||||||
|
- name: activate routing
|
||||||
|
blockinfile:
|
||||||
|
content: |
|
||||||
|
net.inet.ip.forwarding=0
|
||||||
|
net.inet6.ip6.forwarding=0
|
||||||
|
path: /etc/sysctl.conf
|
||||||
|
mode: 0600
|
||||||
|
create: yes
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: reload firewall
|
||||||
|
command: pfctl -vf /etc/pf.conf
|
Reference in New Issue