From 36d88eb220c88f20bc123110dc6cea682450b7b6 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Thu, 4 Aug 2016 16:56:59 +0200
Subject: [PATCH] library/roles/iptables/templates/iptables-rules.v4.j2: Do not
 duplicate the http (port 80) rule when letsencrypt is active.

---
 iptables/templates/iptables-rules.v4.j2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2
index a9ebe483..139df04e 100644
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@@ -32,7 +32,7 @@
 {% endfor %}
 {% endif %}
 {% else %}
-# ssh is always open. We use denyhosts to prevent unauthorized accesses
+# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 {% endif %}
 {% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %}
@@ -41,9 +41,11 @@
 -A INPUT -s {{ network.nmis }} -j ACCEPT
 -A INPUT -s {{ network.eduroam }} -j ACCEPT
 {% endif %}
+{% if http_port is not defined %}
 {% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
 {% endif %}
+{% endif %}
 {% if http_port is defined %}
 # http
 {% if http_allowed_hosts is defined %}