ufw: Regeln verschärft (#11)

Docker: allow all weg, dafür einzelne dienste freigeschaltet smb aus lan jenkins-webgui aus lan pihole-webgui aus lan acng aus LAN ssh nur aus LAN Co-authored-by: Michael Grote <38253905+quotengrote@users.noreply.github.com> Reviewed-on: mg/ansible#11
2020-12-23 17:34:11 +01:00 · 2020-12-23 17:34:11 +01:00 · 209f80efa3
commit 209f80efa3
parent 10438d1246
8 changed files with 33 additions and 9 deletions
--- a/group_vars/acng.yml
+++ b/group_vars/acng.yml
@ -4,9 +4,11 @@
    - rule: allow
      to_port: 22
      protocol: tcp
+      from_ip: 192.168.2.0/24
      comment: 'ssh'
    - rule: allow
      to_port: 9999
+      from_ip: 192.168.2.0/24
      comment: 'acng'
  ### mgrote.acng
  acng_server_port: 9999
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -38,6 +38,7 @@
    - rule: allow
      to_port: 22
      protocol: tcp
+      from_ip: 192.168.2.0/24
      comment: 'ssh'
  ### ryandaniels.create_users
  users:
--- a/group_vars/dns.yml
+++ b/group_vars/dns.yml
@ -4,9 +4,11 @@
    - rule: allow
      to_port: 22
      protocol: tcp
+      from_ip: 192.168.2.0/24
      comment: 'ssh'
    - rule: allow
      to_port: 80
+      from_ip: 192.168.2.0/24
      comment: 'pihole-webgui'
    - rule: allow
      to_port: 53
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@ -1,15 +1,28 @@
 ---
  ### oefenweb.ufw
  ufw_rules:
-#    - rule: allow
-#      to_port: 22
-#      protocol: tcp
-#      comment: 'ssh'
-#    - rule: allow
-#      to_port: 3000
-#      comment: 'rssbridge'
    - rule: allow
-      comment: 'alles erlauben'
+      to_port: 22
+      protocol: tcp
+      from_ip: 192.168.2.0/24
+      comment: 'ssh'
+    - rule: allow
+      to_port: 80
+      comment: 'docker-traefik'
+    - rule: allow
+      to_port: 443
+      comment: 'docker-traefik'
+    - rule: allow
+      to_port: 8080
+      comment: 'docker-traefik'
+    - rule: allow
+      to_port: 333
+      comment: 'docker-homer'
+    - rule: allow
+      to_port: 3001
+      comment: 'docker-rssbridge'
+#    - rule: allow
+#      comment: 'alles erlauben'
  ### geerlingguy.docker
  docker_users:
    - mg
@ -46,4 +59,3 @@
        /var/lib/docker/volumes/***musik***
        # https://github.com/restic/restic/issues/1005
        # https://forum.restic.net/t/exclude-syntax-confusion/1531/12
-        
--- a/group_vars/dokuwiki.yml
+++ b/group_vars/dokuwiki.yml
@ -6,6 +6,7 @@
    - rule: allow
      to_port: 22
      protocol: tcp
+      from_ip: 192.168.2.0/24
      comment: 'ssh'
    - rule: allow
      to_port: 80
--- a/group_vars/jenkins.yml
+++ b/group_vars/jenkins.yml
@ -21,9 +21,11 @@
    - rule: allow
      to_port: 22
      protocol: tcp
+      from_ip: 192.168.2.0/24
      comment: 'ssh'
    - rule: allow
      to_port: 8080
+      from_ip: 192.168.2.0/24
      comment: 'jenkins'
  ### mgrote.restic
  restic_folders_to_backup: /usr/local /etc /root /home /var/lib/jenkins
--- a/group_vars/storage.yml
+++ b/group_vars/storage.yml
@ -28,12 +28,15 @@
    - rule: allow
      to_port: 22
      protocol: tcp
+      from_ip: 192.168.2.0/24
      comment: 'ssh'
    - rule: allow
      to_port: 445
+      from_ip: 192.168.2.0/24
      comment: 'smb'
    - rule: allow
      to_port: 139
+      from_ip: 192.168.2.0/24
      comment: 'smb'
    - rule: allow
      to_port: 9000:9010
--- a/group_vars/wireguard.yml
+++ b/group_vars/wireguard.yml
@ -4,6 +4,7 @@
    - rule: allow
      to_port: 22
      protocol: tcp
+      from_ip: 192.168.2.0/24
      comment: 'ssh'
      interface: ens18
    - rule: allow