Configure and enable local UFW firewall by default

dkobras · May 27, 2020 · 40bebbc · 40bebbc
1 parent 52a072d
commit 40bebbc
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -22,7 +22,8 @@ Requires Ansible >= 2.4.0
 To get up _BigBlueButton_ up and running the following variables can be configured:
 
   * `bbb_server_name`:  Set the FQDN hostname that points to the server where _BigBlueButton_ is going to be installed. This is the only mandatory value, the playbook will fail if this variable is not defined.
-  * `bbb_configure_nat`: Configure NAT support for servers behind a firewall (Default: `False`).
+  * `bbb_configure_firewall`: Configure local UFW firewall on server (Default: `True`).
+  * `bbb_configure_nat`: Configure NAT support for servers behind an external firewall (Default: `False`).
   * `bbb_configure_ssl`: Configure SSL support using _LetsEncrypt_ certificates (Default: `False`).
   * `bbb_ssl_email`: Set _LetsEncrypt_ authorization email address.
   * `bbb_install_html5`: Install the HTML5 client (Default: `True`).

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -6,8 +6,10 @@ bbb_install_playback_notes: True
 bbb_install_playback_podcast: True
 bbb_install_playback_screenshare: True
 bbb_install_webhooks: True
+bbb_install_greenlight: True
 bbb_install_demo: False
 bbb_install_check: False
+bbb_configure_firewall: True
 bbb_configure_nat: False
 bbb_configure_ssl: False
 bbb_ssl_webroot_path: /var/www/bigbluebutton-default

diff --git a/tasks/firewall.yml b/tasks/firewall.yml
@@ -0,0 +1,37 @@
+---
+- name: Install UFW firewall
+  apt:
+    name: ufw
+    state: present
+  tags:
+    - bbb_configure_ufw
+
+- name: Allow OpenSSH access in firewall
+  ufw:
+    rule: allow
+    name: OpenSSH
+  tags:
+    - bbb_configure_ufw
+
+- name: Allow HTTP/HTTPS access in firewall
+  ufw:
+    rule: allow
+    name: "Nginx Full"
+  tags:
+    - bbb_configure_ufw
+
+- name: Allow media connections in firewall
+  ufw:
+    rule: allow
+    proto: udp
+    port: 16384:32768
+  tags:
+    - bbb_configure_ufw
+
+- name: Enable firewall rules
+  ufw:
+    state: enabled
+    policy: deny
+  tags:
+    - bbb_enable_ufw
+
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -81,6 +81,12 @@
     - bbb-repositories
     - repositories
 
+# BigBlueButton UFW firewall configuration
+- include_tasks: firewall.yml
+  when: bbb_configure_firewall == True
+  tags:
+    - firewall
+
 - name: Check BigBlueButton is installed
   apt: name=bigbluebutton state=present
   tags: