chandanchowdhury
commented
6 years ago Implemented by PR #39
Closed chandanchowdhury closed 6 years ago
chandanchowdhury
commented
6 years ago Implemented by PR #39
While customizing the role for our own use we found few things which I think will enhance this fantastic ansible role.
1) 3.6.2 should be applied at the end i.e. after 3.6.5. Setting default policy to DROP all unmatched traffic will close all incoming ports before we have a chance to open required ports like SSH.
2) 3.6.2 uses ansible iptables 'JUMP' parameter to create rule to DROP traffic, but should actually use 'POLICY' parameter to set the default policy. With 'JUMP' the default policy remains ACCEPT.
3) 3.6.5 should have a rule to accept incoming new SSH connections. The benchmark suggest that we find all currently open ports and create rule to allow them, so allowing incoming SSH connection should be okay and is required for ansible to work. In strict scenario, we may want to use a variable to provide the ansible task with an allowed IP range(s).
Please let me know your view/comments.