From 871457000b1980d60600ec45847a6262e849b6d1 Mon Sep 17 00:00:00 2001
From: Rene Mewissen <rene@tantooine.myfirewall.org>
Date: Wed, 1 Oct 2025 16:36:14 +0200
Subject: [PATCH] ufw cannot be used for ICMP, so we use iptables

---
 roles/bastionhost/tasks/system_setup/firewall.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/bastionhost/tasks/system_setup/firewall.yml b/roles/bastionhost/tasks/system_setup/firewall.yml
index 27443d3..e7fdebd 100644
--- a/roles/bastionhost/tasks/system_setup/firewall.yml
+++ b/roles/bastionhost/tasks/system_setup/firewall.yml
@@ -16,6 +16,16 @@
     proto: tcp
     src: 'any'
 
+- name: system setup | firewall | allow ping (ICMP) from internal network via iptables rule
+  blockinfile:
+    path: /etc/ufw/user.rules
+    marker: "### {mark} ANSIBLE MANAGED BLOCK (ICMP for internal network)"
+    insertbefore: "^COMMIT"
+    block: |
+      # Allow incoming ICMP (ping) requests from internal network
+      -A ufw-user-input -p icmp --icmp-type echo-request -s 192.168.1.0/24 -j ACCEPT
+  notify: reload ufw firewall
+
 - name: system setup | firewall | allow other monitoring traffic from internal networks
   community.general.ufw:
     rule: allow