pez-infra/ansible/roles/common/tasks
Rasmus Wejlgaard ede9193996 Restrict london-b Samba (445) to LAN + Tailscale, off public internet
Samba on london-b was allowed on 445/tcp from anywhere via UFW, exposing
SMB/CIFS to the public internet. Tailscale already reaches it through the
tailscale0 allow-all rule, so scope the explicit rule to the local London
LAN (192.168.1.0/24) instead of the world.

The common UFW task only ever adds allow rules, so it gained support for an
optional per-port from_ip, plus a follow-up task that deletes the superseded
world-open variant of any source-restricted port — otherwise the old
'445 ALLOW Anywhere' rule would linger on the host and defeat the change.

PESO-145
2026-06-07 11:32:37 +01:00
..
main.yml Restrict london-b Samba (445) to LAN + Tailscale, off public internet 2026-06-07 11:32:37 +01:00