diff --git a/plays/firewall.yml b/plays/firewall.yml index 79ba1112..f88b2bd8 100755 --- a/plays/firewall.yml +++ b/plays/firewall.yml @@ -1,9 +1,13 @@ #!/usr/bin/env ansible-playbook --- -- hosts: routeurs_vms +- hosts: routeurs_vms !routeur-gulp.cachan-adm.crans.org roles: - logall +- hosts: routeur-gulp.cachan-adm.crans.org + roles: + - logall-cachan + - hosts: firewall vars: service: "{{ glob_service_firewall | default({}) | combine(loc_service_firewall | default({})) }}" diff --git a/roles/logall-cachan/tasks/main.yml b/roles/logall-cachan/tasks/main.yml new file mode 100644 index 00000000..8a4b031d --- /dev/null +++ b/roles/logall-cachan/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: Deploy firewall rsyslog + template: + src: rsyslog.d/10-firewall.conf.j2 + dest: /etc/rsyslog.d/10-firewall.conf + mode: 0644 + owner: root + group: root + +- name: Create firewall log directory + file: + path: /var/log/firewall + mode: 0755 + owner: root + group: root + state: directory + +- name: Deploy firewall logrotate + template: + src: logrotate.d/firewall.j2 + dest: /etc/logrotate.d/firewall + mode: 0644 + owner: root + group: root diff --git a/roles/logall-cachan/templates/logrotate.d/firewall.j2 b/roles/logall-cachan/templates/logrotate.d/firewall.j2 new file mode 100644 index 00000000..9948f3b8 --- /dev/null +++ b/roles/logall-cachan/templates/logrotate.d/firewall.j2 @@ -0,0 +1,28 @@ +{{ ansible_header | comment }} + +/var/log/firewall/trace.log +/var/log/firewall/filtre.log +/var/log/firewall/iptables.err +/var/log/firewall/iptables.log { + rotate 1 + weekly + missingok + notifempty + compress + postrotate + /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null; + endscript +} +/var/log/firewall/logall.log { + daily + compress + compresscmd /bin/bzip2 + uncompresscmd /bin/bunzip2 + compressext .bz2 + rotate 365 + notifempty + sharedscripts + postrotate + /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null; + endscript +} diff --git a/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2 b/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2 new file mode 100644 index 00000000..61281ea9 --- /dev/null +++ b/roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2 @@ -0,0 +1,32 @@ +{{ ansible_header | comment }} +#$ModLoad imklog #Déjà présent dans rsyslog.conf + +# Messages du firewall (ie de sa génération) +if $programname == 'firewall' and $syslogseverity <= '3' then /var/log/firewall/iptables.err + +if $programname == 'firewall' then /var/log/firewall/iptables.log + + +# kernel (facility = 0): +# Discard broadcast (sinon trop de spam) +# Note: on discard tout au final, sinon, on risquerait d'envoyer du contenu +# (LOG_ALL est dans PREROUTING donc je sais pas si ça compte, mais je veux +# pas essayer) +if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~ + +# LOG_ALL pour … je sais plus à quoi ça sert … +if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=100.64.' or $msg contains 'SRC=172.16.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log +& ~ + +# LOG_MAC_IP pour l'association mac_ip en ipv6 +if $syslogfacility == '0' and $msg contains 'LOG_MAC_IP' then ~ + +# TRACE +if $syslogfacility == '0' and $msg contains 'TRACE:' then /var/log/firewall/trace.log +& ~ + +# filtre.log était parsé par un script pour gérer les déconnexions +#if $syslogfacility == '0' and $msg contains 'DST=' then /var/log/firewall/filtre.log +#& ~ + +if $syslogfacility == '0' and $msg contains 'LOG_ALL' then ~