infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

nftables: create a block rules section and move pagure blocks to it

Browse source 
Before the custom rules was actually intended to _allow_ more things
on a particular host. Putting those blocks in there was useless because
custom rules were applied _after_ all the allowed ports, so it wasn't
really blocking anything.

This moves them to a block_rules applied before the ports are allowed
Also move pagure's to that new rule list.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2025-04-29 11:36:20 -07:00
parent 0571feb2ce
commit ebffcee73c
2 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
inventory/group_vars/pagure
View file

@ -7,12 +7,13 @@ custom_rules: [
'-A INPUT -s 47.76.209.138/32 -j REJECT',
'-A INPUT -s 47.76.99.127/32 -j REJECT'
]
nft_custom_rules:
nft_block_rules:
- 'add rule ip filter INPUT ip saddr 81.69.171.38 counter reject'
- 'add rule ip filter INPUT ip saddr 175.24.248.206 counter reject'
- 'add rule ip filter INPUT ip saddr 47.76.0.0/14 counter reject'
- 'add rule ip filter INPUT ip saddr 47.80.0.0/13 counter reject'
- 'add rule ip filter INPUT ip saddr 47.74.0.0/15 counter reject'
- 'add rule ip filter INPUT ip saddr 66.249.64.0/24 counter reject'
# For the MOTD
db_backup_dir: ['/backups']
dbs_to_backup: ['pagure']