From 29e63763cd4a3d1df869720434bc7d88a71e85d1 Mon Sep 17 00:00:00 2001 From: Mark Heiges Date: Tue, 26 Apr 2016 11:20:52 -0400 Subject: [PATCH] firewalld block icmp timestamp responses --- roles/easyredmine/files/timestamp-reply.xml | 7 +++++++ roles/easyredmine/files/timestamp-request.xml | 7 +++++++ roles/easyredmine/tasks/firewall.yml | 20 +++++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 roles/easyredmine/files/timestamp-reply.xml create mode 100644 roles/easyredmine/files/timestamp-request.xml diff --git a/roles/easyredmine/files/timestamp-reply.xml b/roles/easyredmine/files/timestamp-reply.xml new file mode 100644 index 0000000..dfeb975 --- /dev/null +++ b/roles/easyredmine/files/timestamp-reply.xml @@ -0,0 +1,7 @@ + + + Timestamp Reply + This message is used to reply to a timestamp message. + + + diff --git a/roles/easyredmine/files/timestamp-request.xml b/roles/easyredmine/files/timestamp-request.xml new file mode 100644 index 0000000..724b0e8 --- /dev/null +++ b/roles/easyredmine/files/timestamp-request.xml @@ -0,0 +1,7 @@ + + + Timestamp Request + This message is used for time synchronization. + + + diff --git a/roles/easyredmine/tasks/firewall.yml b/roles/easyredmine/tasks/firewall.yml index 2e53b1b..64ba79b 100644 --- a/roles/easyredmine/tasks/firewall.yml +++ b/roles/easyredmine/tasks/firewall.yml @@ -35,6 +35,26 @@ notify: restart firewalld when: is_production_vm == True +- name: define new icmp types for timestamp responses + copy: dest='/etc/firewalld/icmptypes/{{ item }}.xml' + src='{{ item }}.xml' + sudo: yes + with_items: + - timestamp-reply + - timestamp-request + +- name: load new icmp types for timestamp responses + command: firewall-cmd --reload + sudo: yes + +- name: disable icmp timestamp responses + command: firewall-cmd --permanent --zone=public --add-icmp-block={{ item }} + sudo: yes + with_items: + - timestamp-reply + - timestamp-request + notify: restart firewalld + - name: restart firewalld service: name=firewalld state=restarted