Ansible role for CSF
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
defaults
files/rules/common
handlers
meta
tasks
.travis.yml
CHANGELOG.md
CONTRIBUTING.md
LICENSE
README.md
VERSION

README.md

CSF Ansible Role

GitHub version Build Status

Requirements

None

Role Variables

Variables are done in two stages:

  • csf_global_conf
    Variables within this scope are done at a group level and are deployed to all servers
  • csf_conf
    Variables within this scope should only be done on a per-server basis
  • csf_allow_ip Values in that array will be added to /etc/csf/csf.allow file
  • csf_rules
    Rules placed into this variable are copied from role_dir/files/rules/common/{{ item.rule }}.allow
    TODO: Make this a lot neater

Dependencies

None

Example Playbook

- hosts: firewalls
  roles:
     - { role: jloh.csf-ansible-role }

In group_vars/firewalls:

csf_global_conf:
  - name: CLUSTER_PORT
    config: "7786"
  - name: CLUSTER_KEY
    config: "some random cluster key"
  - name: DENY_TEMP_IP_LIMIT
    config: "200"
  - name: LF_CONSOLE_EMAIL_ALERT
    config: "1"
  - name: LF_GLOBAL
    config: "3600"
  - name: GLOBAL_DYNDNS_INTERVAL
    config: "600"
  - name: URLGET
    config: "2"

csf_allow:
 - 12.12.12.12	# office IP
 - 138.44.33.22	# monitoring
 - 198.33.22.11
 - 45.22.11.22
 
csf_ignore:
 - 12.12.12.12	# office IP
 - 138.44.33.22	# monitoring
 - 198.33.22.11
 - 45.22.11.22

csf_blocklists:
  - SPAMEDROP
  - DSHIELD
  - TOR
  - ALTTOR
  - BOGON
  - HONEYPOT
  - CIARMY
  - BFB
  - OPENBL
  - AUTOSHUN
  - MAXMIND
  - BDE
  - STOPFORUMSPAM

In host_vars/firewall-01:

csf_conf:
  - name: CLUSTER_RECVFROM
    config: "162.243.144.14,103.4.18.200,80.69.77.247"
  - name: CLUSTER_SENDTO
    config: "162.243.144.14,103.4.18.200,80.69.77.247"
  - name: TCP_IN
    config: "80,443"
  - name: TCP_OUT
    config: "25,53,80,443"
  - name: UDP_IN
    config: ""
  - name: UDP_OUT
    config: "25,123"
  - name: TCP6_IN
    config: "80,443"
  - name: TCP6_OUT
    config: "25,53,80,443"
  - name: UDP6_IN
    config: ""
  - name: UDP6_OUT
    config: "25,123"

 csf_rules:
  - rule: nagios
  - rule: munin

License

MIT

Contributors

Many! Please checkout the contributors graph!

Author Information

For other roles and general tech information please feel free to checkout my blog.