dj-wasabi / ansible-zabbix-agent

Installing and maintaining zabbix-agent for RedHat/Debian/Ubuntu/Windows/Suse.
https://galaxy.ansible.com/dj-wasabi/zabbix-agent
MIT License
327 stars 248 forks source link

Added INSERT iptables action instead of default APPEND #249

Closed and-win closed 5 years ago

and-win commented 5 years ago

Description of PR By default module iptables uses action APPEND which adds a rule in the end of rule's list. Such rule will not work if it's added after reject all traffic rule. For example:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10050 

Type of change Improvement

dj-wasabi commented 5 years ago

Hi @and-win

Thank you. Is this something we might think it helps to make it configurable? Like setting a property to default insert and when needed someone can override it to append? Or doesn't it make sense?

and-win commented 5 years ago

Hello Werner,

I believe it will be useful when action: insert by default, and changeable through variable, something like {{ iptables_default_action }}

Thanks

dj-wasabi commented 5 years ago

Hi @and-win

Yes, I agree, but would like to see it somehow prefixed with zabbix_agent_firewall, so it seems consistent with other iptables related variables. Could you also add something into the documentation, so it is clear that it can be overriden?

Thanks! 👍

dj-wasabi commented 5 years ago

I'll make this changes, so we can create a release soon with his in it. Thanks! 👍