bau-sec/ansible-openvpn-hardened

Use firewalld in CentOS/RHEL 7.x instead of iptables

Closed this issue · 1 comments

ricardoklein commented

Hi, I am creating my own openvpn role based in your work and when testing, I found a hard time configuring iptables on CentOS 7.x.

I made changes to make it use firewalld instead of pure iptables-services. Here they are:

14,17c14,49
< - name: OpenVPN | Firewall | Enable iptables service
<   service:
<     name: iptables
<     enabled: true
---
> - name: Configure FirewallD
>   block:
>     - name: OpenVPN | Firewalld | Enable OpenVPN Service
>       firewalld:
>         service: openvpn
>         permanent: true
>         state: enabled
> 
>     - name: OpenVPN | Firewalld | Set vpn networks as trusted zone
>       firewalld:
>         source: "{{ item.cidr }}"
>         zone: trusted
>         permanent: true
>         state: enabled
>       with_items:
>         - "{{ openvpn_instances }}"
> 
>     - name: OpenVPN | Firewalld | Enable Masquerade routing for zone trusted
>       firewalld:
>         masquerade: yes
>         permanent: true
>         state: enabled
> 
>     - name: OpenVPN | Firewalld | Disable SSH global access
>       firewalld:
>         service: ssh
>         state: disabled
>         zone: public
>         permanent: true
> 
>     - name: OpenVPN | Firewalld | Enable SSH From DMZ
>       firewalld:
>         service: ssh
>         permanent: true
>         state: enabled
>         zone: trusted
johannes-cabal commented

I wouldn't arbitrarily enable and/or install firewalld. This could definitely cause issues in areas such as AWS when building out route chains.

The preferable way is execute your block if FirewallD is present OR if the user sets a boolean of "firewalld: true" or something to that extend.