Feature/new fw continued

group_vars/all/vars.yml

@@ -7,13 +7,6 @@ ssh_host_signer_key_types: '.*(rsa|ed25519).*'
 ssh_host_signer_hostnames: "{{ ansible_fqdn }},{{ ansible_hostname }}{% for host in groups['jumphost'] %},{{ host }}+{{ ansible_hostname }}{% endfor %}"
 slurm_database_name: "{{ stack_prefix }}_slurm_accounting"
 ai_jumphost: "{{ lookup('env','AI_PROXY') }}"
-#
-# Configure allowed network ports for geerlingguy.firewall role
-#
-firewall_allowed_tcp_ports:
-  - '22'   # SSH
-  - '9100'   # Node Exporter
-
 #
 # Local volume size (root partition) for all instances
 #

group_vars/cluster.yml

@@ -1,11 +1,3 @@
 ---
 ansible_python_interpreter: /usr/bin/python2.7
-#
-# Configure allowed network ports for geerlingguy.firewall role
-#
-firewall_allowed_tcp_ports:
-  - '22'   # SSH
-  - '6817' # Slurm
-  - '6818' # Slurm
-  - '6819' # Slurm
 ...

group_vars/data_transfer.yml

@@ -1,7 +1,10 @@
 ---
-firewall_allowed_tcp_ports:
-  - 22   # SSH.
-  - 443  # SSH.
+iptables_allow_icmp_inbound:
+  - ANY
+iptables_allow_https_inbound:
+  - ANY  # On data_transfer servers port 443 is used for SSH too.
+iptables_allow_ssh_inbound:
+  - ANY
 ssh_host_signer_hostnames: "{{ ansible_hostname }}\
   {% for network_id in ip_addresses[ansible_hostname] %}\
     {% if ip_addresses[ansible_hostname][network_id]['fqdn'] is defined and

group_vars/docs.yml

@@ -1,11 +1,32 @@
 ---
 #
-# Configure allowed network ports for geerlingguy.firewall role
+# Firewall configuration.
 #
-firewall_allowed_tcp_ports:
-  - '22'   # SSH
-  - '80'   # HTTP
-  - '443'  # HTTPS
+iptables_allow_icmp_inbound:
+  - "{{ all.ip_addresses['umcg']['net1'] }}"
+  - "{{ all.ip_addresses['umcg']['net2'] }}"
+  - "{{ all.ip_addresses['umcg']['net3'] }}"
+  - "{{ all.ip_addresses['umcg']['net4'] }}"
+  - "{{ all.ip_addresses['rug']['bwp_net'] }}"
+  - "{{ all.ip_addresses['rug']['operator'] }}"
+  - "{{ all.ip_addresses['gcc']['cloud_net'] }}"
+  - "{{ fender_cluster.ip_addresses['corridor']['public'] }}"
+  - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}"
+  - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}"
+  - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}"
+  - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}"
+  - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}"
+iptables_allow_ssh_inbound:
+  - "{{ fender_cluster.ip_addresses['corridor']['public'] }}"
+  - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}"
+  - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}"
+  - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}"
+  - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}"
+  - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}"
+iptables_allow_http_inbound:
+  - ANY
+iptables_allow_https_inbound:
+  - ANY
 extra_jumphosts_for_docs_server:
   - 'airlock'     # Gearshift
   - 'reception'   # Talos

group_vars/gearshift_cluster/ip_addresses.yml

@@ -4,7 +4,6 @@ ip_addresses:
     vlan983:
       address: 172.23.40.36
       netmask: /32
-      publicly_exposed: true  # This internal IP is linked to a public (floating) IP.
     vlan16:
       address: 129.125.60.196
       netmask: /32

group_vars/irods.yml

@@ -1,11 +1,19 @@
 ---
-firewall_allowed_tcp_ports:                 # list of open ports on iCAT server
-  - "22"    # SSH.
-  - "443"   # davrods SSL
-  - "1247"  # irods
-  - "1248"  # Control Plane Port
-  - "5432"  # PostgreSQL
-  - "20000:20199"  # irods
+#
+# Firewall configuration.
+#
+iptables_allow_icmp_inbound:
+  - ANY
+iptables_allow_ssh_inbound:
+  - ANY
+iptables_allow_ssh_outbound:
+  - ANY
+iptables_allow_https_inbound:
+  - ANY  # For DAVRODS.
+iptables_allow_irods:
+  - ANY
+iptables_allow_postgres_outbound:
+  - ANY
 
 ir_version: '-4.2.11*'                  # if defined (empty): version will be installed (must start with '-' and end with '*')
 ir_server_type: 'icat'                  # iRODS Server Type

group_vars/jenkins.yml

@@ -1,11 +1,39 @@
 ---
 #
-# Configure allowed network ports for geerlingguy.firewall role
+# Firewall configuration.
 #
-firewall_allowed_tcp_ports:
-  - '22'   # SSH
-  - '80'   # HTTP
-  - '443'  # HTTPS
+iptables_allow_icmp_inbound:
+  - "{{ all.ip_addresses['umcg']['net1'] }}"
+  - "{{ all.ip_addresses['umcg']['net2'] }}"
+  - "{{ all.ip_addresses['umcg']['net3'] }}"
+  - "{{ all.ip_addresses['umcg']['net4'] }}"
+  - "{{ all.ip_addresses['rug']['bwp_net'] }}"
+  - "{{ all.ip_addresses['rug']['operator'] }}"
+  - "{{ all.ip_addresses['gcc']['cloud_net'] }}"
+  - "{{ fender_cluster.ip_addresses['corridor']['public'] }}"
+  - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}"
+  - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}"
+  - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}"
+  - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}"
+  - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}"
+iptables_allow_ssh_inbound:
+  - "{{ fender_cluster.ip_addresses['corridor']['public'] }}"
+  - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}"
+  - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}"
+  - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}"
+  - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}"
+  - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}"
+iptables_allow_ssh_outbound:
+  - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}"
+  - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}"
+iptables_allow_https_inbound:
+  - "{{ all.ip_addresses['umcg']['net1'] }}"
+  - "{{ all.ip_addresses['umcg']['net2'] }}"
+  - "{{ all.ip_addresses['umcg']['net3'] }}"
+  - "{{ all.ip_addresses['umcg']['net4'] }}"
+  - "{{ all.ip_addresses['rug']['bwp_net'] }}"
+  - "{{ all.ip_addresses['rug']['operator'] }}"
+  - "{{ all.ip_addresses['gcc']['cloud_net'] }}"
 extra_jumphosts_for_jenkins_server:
   - 'airlock'     # Gearshift
   - 'reception'   # Talos

group_vars/jumphost.yml

@@ -1,10 +1,12 @@
 ---
-firewall_allowed_tcp_ports:
-  - 22    # SSH.
-  - 443   # SSH fallback when 22 is blocked.
-  - 3000  # Grafana server.
-firewall_additional_rules:
-  - "iptables -A INPUT -i eth1 -p tcp -s 129.125.2.233,129.125.2.225,129.125.2.226 --dport 9090 -j ACCEPT -m comment --comment 'prometheus server'"
+iptables_allow_icmp_inbound:
+  - ANY
+iptables_allow_https_inbound:
+  - ANY  # Port 443 is used as fallback for SSH on jumphosts. Port 443 outbound is allowed by default.
+iptables_allow_ssh_inbound:
+  - ANY
+iptables_allow_ssh_outbound:
+  - ANY
 ssh_host_signer_hostnames: "{{ ansible_hostname }}\
   {% for network_id in ip_addresses[ansible_hostname] %}\
     {% if ip_addresses[ansible_hostname][network_id]['fqdn'] is defined and

group_vars/talos_cluster/ip_addresses.yml

@@ -4,7 +4,6 @@ ip_addresses:
     vlan983:
       address: 172.23.40.100
       netmask: /32
-      publicly_exposed: true  # This internal IP is linked to a public (floating) IP.
     vlan16:
       address: 129.125.60.18
       netmask: /32

group_vars/talos_cluster/vars.yml

@@ -176,93 +176,4 @@ ega_fuse_client_mounts:
   cineca: '/groups/umcg-cineca/prm08/ega-fuse-client'
   solve_rd: '/groups/umcg-solve-rd/prm08/ega-fuse-client'
 ega_fuse_client_java_home: '/etc/alternatives/jre_11_openjdk'
-iptables_allow_icmp_inbound:
-  - 'umcg_net1'
-  - 'umcg_net2'
-  - 'umcg_net3'
-  - 'rug_bwp_net'
-  - 'rug_operator'
-  - 'rug_gcc_cloud_net'
-  - 'foyer'
-  - 'boxy'
-  - 'bender'
-  - 'lobby'
-  - 'calculon'
-  - 'flexo'
-  - 'gate'
-  - 'zinc_finger'
-  - 'coenzyme'
-  - 'passage'
-  - 'leucine_zipper'
-  - 'chaperone'
-  - 'airlock'
-  - 'jenkins1'
-  - 'jenkins2'
-iptables_allow_ssh_inbound:
-  - 'umcg_net1'
-  - 'umcg_net2'
-  - 'umcg_net3'
-  - 'rug_bwp_net'
-  - 'rug_operator'
-  - 'foyer'
-  - 'boxy'
-  - 'bender'
-  - 'lobby'
-  - 'calculon'
-  - 'flexo'
-  - 'gate'
-  - 'zinc_finger'
-  - 'coenzyme'
-  - 'passage'
-  - 'leucine_zipper'
-  - 'chaperone'
-  - 'airlock'
-  - 'jenkins1'
-  - 'jenkins2'
-iptables_allow_ssh_outbound:
-  - 'foyer'
-  - 'boxy'
-  - 'bender'
-  - 'lobby'
-  - 'calculon'
-  - 'flexo'
-  - 'gate'
-  - 'peregrine'
-  - 'gattaca01'
-  - 'gattaca02'
-  - 'cher_ami'
-  - 'eriba_ds'
-  - 'molgenis_downloads'
-  - 'airlock'
-  - 'surfsara_grid_ui'
-  - 'lumc_shark_ui'
-  - 'cnag_sftp'
-  - 'erasmus_mc_net'
-  - 'rug_f5_net'
-  - 'sanger_sftp'
-iptables_allow_ebi_mysql_outbound:
-  - 'ebi_sanger_net1'
-  - 'ebi_sanger_net2'
-iptables_allow_ftp_outbound:
-  - 'ebi_sanger_net1'
-  - 'ebi_sanger_net2'
-  - 'broad_ftp'
-  - 'ncbi_net1'
-  - 'ncbi_net2'
-iptables_allow_aspera_outbound:
-  - 'ebi_sanger_net1'
-  - 'ebi_sanger_net2'
-  - 'broad_aspera_1'
-  - 'broad_aspera_2'
-  - 'broad_aspera_3'
-  - 'broad_aspera_4'
-  - 'broad_aspera_5'
-  - 'broad_aspera_6'
-  - 'broad_aspera_7'
-  - 'broad_aspera_8'
-  - 'broad_aspera_9'
-  - 'ncbi_net1'
-  - 'ncbi_net2'
-iptables_allow_globus_outbound:
-  - 'sanger_globus'
 ...

requirements.yml

@@ -3,8 +3,6 @@
 #
 ---
 roles:
-  - src: geerlingguy.firewall
-    version: 2.5.0
   - src: geerlingguy.repo-epel
     version: 3.0.0
   - src: geerlingguy.security

roles/include_vars_from_other_groups/tasks/main.yml

@@ -7,6 +7,7 @@
   register: ip_addresses_files_found
   delegate_to: localhost
   connection: local
+  run_once: true
 
 - name: Include ip_addresses per stack from ip_addresses.yml files.
   ansible.builtin.include_vars:
@@ -16,10 +17,12 @@
   register: included_ip_addresses
   delegate_to: localhost
   connection: local
+  run_once: true
 
 - name: Combine network info from ip_addresses per stack into one dict for all items from all stacks.
   ansible.builtin.set_fact:
     all_ip_addresses: "{{ included_ip_addresses.results | json_query('[].ansible_facts.*[].ip_addresses') | combine() }}"
   delegate_to: localhost
   connection: local
+  run_once: true
 ...