This pull request modifies the Ansible role to install ufw and set up NATing via the ufw configuration instead of directly using iptables.
π Motivation and Context
We previously set up NATing using iptables directly. Now that we are required to harden the OpenVPN AMI, it ends up with ufw installed. As a result, it makes more sense now to set up the NAT via ufw, so that all the firewall configuration is consolidated and ufw and the iptables-restore toolchain don't clobber each other.
Tangentially related to cisagov/openvpn-packer#24.
See also cisagov/openvpn-server-tf-module#40.
π§ͺ Testing
These changes have been used to deploy a working OpenVPN AMI to our staging COOL environment.
π₯ Types of Changes
[ ] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[x] Breaking change (causes existing functionality to change)
β Checklist
[x] My code follows the code style of this project.
[x] My change requires a change to the documentation.
π£ Description
This pull request modifies the Ansible role to install
ufwand set up NATing via theufwconfiguration instead of directly usingiptables.π Motivation and Context
We previously set up NATing using
iptablesdirectly. Now that we are required to harden the OpenVPN AMI, it ends up withufwinstalled. As a result, it makes more sense now to set up the NAT viaufw, so that all the firewall configuration is consolidated andufwand theiptables-restoretoolchain don't clobber each other.Tangentially related to cisagov/openvpn-packer#24.
See also cisagov/openvpn-server-tf-module#40.
π§ͺ Testing
These changes have been used to deploy a working OpenVPN AMI to our staging COOL environment.
π₯ Types of Changes
β Checklist