Introduction to Ansible Transcripts
Chapter: Configuring Servers
Lecture: Setting up Firewalls with the ufw Module
0:00 With our basic packages including Fail2ban installed
0:02 we next want to set the firewall rules
0:04 and we'll use the ufw module to handle that.
0:07 Head back under roles into common tasks
0:12 and security.yml.
0:14 We're going to create a couple new tasks here.
0:16 First, we want to enable SSH within the firewall.
0:22 We'll use the ufw module which is how we manage
0:25 firewalls on Lynx systems.
0:26 And we're going to set the rule to allow on port 22
0:29 which is the SSH port.
0:31 And we will need to become superuser to do that.
0:33 Next we want to actually enable the firewall.
0:43 What these two rules are going to do
0:44 first we're going to make sure that we can still
0:46 login via SSH to our servers so we can continue
0:48 our configuration.
0:49 And then second, we're going to lock down every other port
0:51 other than port 22.
0:52 So this means no incoming HTTP, HTTPS connections
0:56 any other type of protocol except for SSH.
0:58 Now when we create the tasks for our web server
1:00 we're going to allow additional ports to be accessible
1:03 in particular, port 80 and port 443 which are
1:06 for HTTP and HTTPS.
1:09 For now, this one should be fine for us.
1:11 What we want to do is make sure we can log in
1:13 before and after running these tasks.
1:15 Let's make sure that we can still SSH
1:17 into one of our servers.
1:22 No problem, it uses our private key in order
1:24 to authenticate us.
1:25 Now lets rerun Ansible.
1:35 Okay, now if we try to SSH back into the server
1:38 let's make sure that everything works.
1:41 And we're good.
1:42 Real quick though, let's make sure that the other ports
1:44 do not respond.
1:45 We can use the cat command to simulate a connection
1:47 on a port that we want to access.
1:49 So for example if we wanted to access the SSH port
1:52 we'll see that the server at 142, 93, 123, 128 responds
1:56 back with the protocol.
1:58 If we hit Control + C it'll get out of that.
1:59 And if we take a look at port 80
2:01 nothing there. 443 nothing there.
2:07 So it looks like our firewall is now in place
2:09 and we can grant exceptions based on the type
2:11 of server such as a web server that requires port 80
2:14 and 443 or port 5432 which is the default for Postgres.