support closed ssh range

roles/baseline/templates/firewall.j2

@@ -20,11 +20,16 @@ iptables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmp --icmp-type echo-
 iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
 iptables -A INPUT -p icmp -j ACCEPT
 
+{% if firewall_ssh_ranges is defined %}
 {% for range in firewall_ssh_ranges %}
 {%if range.type=="ipv4" %}
 iptables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
 {%endif%}
 {%endfor%}
+{% else %}
+# This server has an open ssh policy
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+{% endif %}
 
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state INVALID -j DROP
@@ -48,11 +53,16 @@ ip6tables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmpv6 --icmpv6-type
 ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
 ip6tables -A INPUT -p icmpv6 -j ACCEPT
 
+{% if firewall_ssh_ranges is defined %}
 {% for range in firewall_ssh_ranges %}
 {%if range.type=="ipv6" %}
 ip6tables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
 {%endif%}
 {%endfor%}
+{% else %}
+# This server has an open ssh policy
+ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
+{% endif %}
 
 ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A OUTPUT -m state --state INVALID -j DROP