Add deny to private networks

v-kamerdinerov · Dec 24, 2024 · b0fb052 · b0fb052
1 parent a609ef3
commit b0fb052
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
@@ -134,3 +134,22 @@ common_xanmod_package_name: "linux-xanmod-x64v{{ current_level }}"
 
 # Default for firewall
 common_open_ports: ""
+common_closed_networks:
+# private networks
+  - "10.0.0.0/8"
+  - "172.16.0.0/12"
+  - "192.168.0.0/16"
+# docs and examples
+  - "192.0.2.0/24"
+  - "198.51.100.0/24"
+  - "203.0.113.0/24"
+# CGNAT range
+  - "100.64.0.0/10"
+# link local range
+  - "169.254.0.0/16"
+# multicast
+  - "224.0.0.0/4"
+# reserver range
+  - "240.0.0.0/4"
+# IANA test range
+  - "198.18.0.0/15"
diff --git a/roles/common/tasks/ufw.yml b/roles/common/tasks/ufw.yml
@@ -18,6 +18,14 @@
   with_items:
     - "{{ change_sshd_port_configured_port }}"
 
+- name: "Common | {{ role | upper() }} | UFW | Deny outbound traffic to private networks"
+  community.general.ufw:
+    rule: deny
+    direction: out
+    to_ip: "{{ item }}"
+  with_items:
+    - "{{ common_closed_networks }}"
+
 - name: "Common | {{ role | upper() }} | UFW | Enable firewall service"
   community.general.ufw:
     state: enabled