From 209f80efa32958da017368f1da4521f54d2ab916 Mon Sep 17 00:00:00 2001
From: mg <mg@noreply.git.mgrote.net>
Date: Wed, 23 Dec 2020 17:34:11 +0100
Subject: [PATCH] =?UTF-8?q?ufw:=20Regeln=20versch=C3=A4rft=20(#11)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Docker: allow all weg, dafür einzelne dienste freigeschaltet

smb aus lan

jenkins-webgui aus lan

pihole-webgui aus lan

acng aus LAN

ssh nur aus LAN

Co-authored-by: Michael Grote <38253905+quotengrote@users.noreply.github.com>
Reviewed-on: https://git.mgrote.net/mg/ansible/pulls/11
---
 group_vars/acng.yml      |  2 ++
 group_vars/all.yml       |  1 +
 group_vars/dns.yml       |  2 ++
 group_vars/docker.yml    | 30 +++++++++++++++++++++---------
 group_vars/dokuwiki.yml  |  1 +
 group_vars/jenkins.yml   |  2 ++
 group_vars/storage.yml   |  3 +++
 group_vars/wireguard.yml |  1 +
 8 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/group_vars/acng.yml b/group_vars/acng.yml
index a7a2df93..867b2401 100644
--- a/group_vars/acng.yml
+++ b/group_vars/acng.yml
@@ -4,9 +4,11 @@
     - rule: allow
       to_port: 22
       protocol: tcp
+      from_ip: 192.168.2.0/24
       comment: 'ssh'
     - rule: allow
       to_port: 9999
+      from_ip: 192.168.2.0/24
       comment: 'acng'
   ### mgrote.acng
   acng_server_port: 9999
diff --git a/group_vars/all.yml b/group_vars/all.yml
index e67a913f..9cf5af5f 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -38,6 +38,7 @@
     - rule: allow
       to_port: 22
       protocol: tcp
+      from_ip: 192.168.2.0/24
       comment: 'ssh'
   ### ryandaniels.create_users
   users:
diff --git a/group_vars/dns.yml b/group_vars/dns.yml
index bab88c81..e94e4354 100644
--- a/group_vars/dns.yml
+++ b/group_vars/dns.yml
@@ -4,9 +4,11 @@
     - rule: allow
       to_port: 22
       protocol: tcp
+      from_ip: 192.168.2.0/24
       comment: 'ssh'
     - rule: allow
       to_port: 80
+      from_ip: 192.168.2.0/24
       comment: 'pihole-webgui'
     - rule: allow
       to_port: 53
diff --git a/group_vars/docker.yml b/group_vars/docker.yml
index 8c19a767..a98bd39f 100644
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@@ -1,15 +1,28 @@
 ---
   ### oefenweb.ufw
   ufw_rules:
-#    - rule: allow
-#      to_port: 22
-#      protocol: tcp
-#      comment: 'ssh'
-#    - rule: allow
-#      to_port: 3000
-#      comment: 'rssbridge'
     - rule: allow
-      comment: 'alles erlauben'
+      to_port: 22
+      protocol: tcp
+      from_ip: 192.168.2.0/24
+      comment: 'ssh'
+    - rule: allow
+      to_port: 80
+      comment: 'docker-traefik'
+    - rule: allow
+      to_port: 443
+      comment: 'docker-traefik'
+    - rule: allow
+      to_port: 8080
+      comment: 'docker-traefik'
+    - rule: allow
+      to_port: 333
+      comment: 'docker-homer'
+    - rule: allow
+      to_port: 3001
+      comment: 'docker-rssbridge'
+#    - rule: allow
+#      comment: 'alles erlauben'
   ### geerlingguy.docker
   docker_users:
     - mg
@@ -46,4 +59,3 @@
         /var/lib/docker/volumes/***musik***
         # https://github.com/restic/restic/issues/1005
         # https://forum.restic.net/t/exclude-syntax-confusion/1531/12
-        
diff --git a/group_vars/dokuwiki.yml b/group_vars/dokuwiki.yml
index 453f1807..b0bc765f 100644
--- a/group_vars/dokuwiki.yml
+++ b/group_vars/dokuwiki.yml
@@ -6,6 +6,7 @@
     - rule: allow
       to_port: 22
       protocol: tcp
+      from_ip: 192.168.2.0/24
       comment: 'ssh'
     - rule: allow
       to_port: 80
diff --git a/group_vars/jenkins.yml b/group_vars/jenkins.yml
index 9cd8989a..c155bf27 100644
--- a/group_vars/jenkins.yml
+++ b/group_vars/jenkins.yml
@@ -21,9 +21,11 @@
     - rule: allow
       to_port: 22
       protocol: tcp
+      from_ip: 192.168.2.0/24
       comment: 'ssh'
     - rule: allow
       to_port: 8080
+      from_ip: 192.168.2.0/24
       comment: 'jenkins'
   ### mgrote.restic
   restic_folders_to_backup: /usr/local /etc /root /home /var/lib/jenkins
diff --git a/group_vars/storage.yml b/group_vars/storage.yml
index acbe8cb0..1a39e0dd 100644
--- a/group_vars/storage.yml
+++ b/group_vars/storage.yml
@@ -28,12 +28,15 @@
     - rule: allow
       to_port: 22
       protocol: tcp
+      from_ip: 192.168.2.0/24
       comment: 'ssh'
     - rule: allow
       to_port: 445
+      from_ip: 192.168.2.0/24
       comment: 'smb'
     - rule: allow
       to_port: 139
+      from_ip: 192.168.2.0/24
       comment: 'smb'
     - rule: allow
       to_port: 9000:9010
diff --git a/group_vars/wireguard.yml b/group_vars/wireguard.yml
index 144b479a..0a09fb24 100644
--- a/group_vars/wireguard.yml
+++ b/group_vars/wireguard.yml
@@ -4,6 +4,7 @@
     - rule: allow
       to_port: 22
       protocol: tcp
+      from_ip: 192.168.2.0/24
       comment: 'ssh'
       interface: ens18
     - rule: allow