Introduction to Ansible Transcripts
Chapter: Configuring Servers
Lecture: Setting up Firewalls with the ufw Module
0:00 With our basic packages including Fail2ban installed we next want to set the firewall rules and we'll use the ufw module to handle that.
0:08 Head back under roles into common tasks and security.yml. We're going to create a couple new tasks here.
0:17 First, we want to enable SSH within the firewall. We'll use the ufw module which is how we manage firewalls on Lynx systems.
0:27 And we're going to set the rule to allow on port 22 which is the SSH port. And we will need to become superuser to do that.
0:34 Next we want to actually enable the firewall. What these two rules are going to do first we're going to make sure that we can still
0:47 login via SSH to our servers so we can continue our configuration. And then second, we're going to lock down every other port other than port 22.
0:53 So this means no incoming HTTP, HTTPS connections any other type of protocol except for SSH. Now when we create the tasks for our web server
1:01 we're going to allow additional ports to be accessible in particular, port 80 and port 443 which are for HTTP and HTTPS.
1:10 For now, this one should be fine for us. What we want to do is make sure we can log in before and after running these tasks.
1:16 Let's make sure that we can still SSH into one of our servers. No problem, it uses our private key in order to authenticate us. Now lets rerun Ansible.
1:36 Okay, now if we try to SSH back into the server let's make sure that everything works. And we're good.
1:43 Real quick though, let's make sure that the other ports do not respond. We can use the cat command to simulate a connection
1:48 on a port that we want to access. So for example if we wanted to access the SSH port we'll see that the server at 142, 93, 123, 128 responds
1:57 back with the protocol. If we hit Control + C it'll get out of that. And if we take a look at port 80 nothing there. 443 nothing there.
2:08 So it looks like our firewall is now in place and we can grant exceptions based on the type of server such as a web server that requires port 80
2:15 and 443 or port 5432 which is the default for Postgres.