mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
Restrict london-b Samba (445) to LAN + Tailscale, off public internet
Samba on london-b was allowed on 445/tcp from anywhere via UFW, exposing SMB/CIFS to the public internet. Tailscale already reaches it through the tailscale0 allow-all rule, so scope the explicit rule to the local London LAN (192.168.1.0/24) instead of the world. The common UFW task only ever adds allow rules, so it gained support for an optional per-port from_ip, plus a follow-up task that deletes the superseded world-open variant of any source-restricted port — otherwise the old '445 ALLOW Anywhere' rule would linger on the host and defeat the change. PESO-145
This commit is contained in:
parent
644b608831
commit
ede9193996
2 changed files with 20 additions and 1 deletions
|
|
@ -33,4 +33,7 @@ common_ufw_allowed_ports:
|
||||||
- { port: 32400, proto: tcp, comment: "Plex Media Server" }
|
- { port: 32400, proto: tcp, comment: "Plex Media Server" }
|
||||||
- { port: 6881, proto: tcp, comment: "BitTorrent" }
|
- { port: 6881, proto: tcp, comment: "BitTorrent" }
|
||||||
- { port: 6881, proto: udp, comment: "BitTorrent" }
|
- { port: 6881, proto: udp, comment: "BitTorrent" }
|
||||||
- { port: 445, proto: tcp, comment: "Samba" }
|
# SMB is reachable over Tailscale via the tailscale0 allow-all rule; this
|
||||||
|
# entry additionally allows the local London LAN. Deliberately NOT open to
|
||||||
|
# the public internet (see PESO-145).
|
||||||
|
- { port: 445, proto: tcp, from_ip: "192.168.1.0/24", comment: "Samba (LAN only)" }
|
||||||
|
|
|
||||||
|
|
@ -99,6 +99,7 @@
|
||||||
rule: allow
|
rule: allow
|
||||||
port: "{{ item.port | string }}"
|
port: "{{ item.port | string }}"
|
||||||
proto: "{{ item.proto | default('tcp') }}"
|
proto: "{{ item.proto | default('tcp') }}"
|
||||||
|
from_ip: "{{ item.from_ip | default(omit) }}"
|
||||||
comment: "{{ item.comment | default(omit) }}"
|
comment: "{{ item.comment | default(omit) }}"
|
||||||
loop: "{{ common_ufw_allowed_ports }}"
|
loop: "{{ common_ufw_allowed_ports }}"
|
||||||
when:
|
when:
|
||||||
|
|
@ -106,6 +107,21 @@
|
||||||
- common_ufw_allowed_ports | length > 0
|
- common_ufw_allowed_ports | length > 0
|
||||||
notify: Reload ufw
|
notify: Reload ufw
|
||||||
|
|
||||||
|
# When a port is restricted to a source (from_ip), make sure the older
|
||||||
|
# unrestricted "allow from anywhere" variant of the same rule isn't left
|
||||||
|
# lingering on the host — UFW keeps it otherwise, which would defeat the
|
||||||
|
# source restriction. Deleting an absent rule is a no-op, so this is safe
|
||||||
|
# on hosts that never had the broad rule.
|
||||||
|
- name: Remove superseded world-open rules for source-restricted ports
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "{{ item.port | string }}"
|
||||||
|
proto: "{{ item.proto | default('tcp') }}"
|
||||||
|
delete: true
|
||||||
|
loop: "{{ common_ufw_allowed_ports | selectattr('from_ip', 'defined') | list }}"
|
||||||
|
when: common_ufw_enabled | bool
|
||||||
|
notify: Reload ufw
|
||||||
|
|
||||||
- name: Enable UFW
|
- name: Enable UFW
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: enabled
|
state: enabled
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue