community / community.general / 0.1.4 / module / ufw Manage firewall with UFW Authors: Aleksey Ovcharenko (@ovcharenko), Jarno Keskikangas (@pyykkis), Ahti Kitsik (@ahtik)community.general.ufw (0.1.4) — module
Install with ansible-galaxy collection install community.general:==0.1.4
collections: - name: community.general version: 0.1.4
Manage firewall with UFW.
- name: Allow everything and enable UFW ufw: state: enabled policy: allow
- name: Set logging ufw: logging: 'on'
# Sometimes it is desirable to let the sender know when traffic is # being denied, rather than simply ignoring it. In these cases, use # reject instead of deny. In addition, log rejected connections: - ufw: rule: reject port: auth log: yes
# ufw supports connection rate limiting, which is useful for protecting # against brute-force login attacks. ufw will deny connections if an IP # address has attempted to initiate 6 or more connections in the last # 30 seconds. See http://www.debian-administration.org/articles/187 # for details. Typical usage is: - ufw: rule: limit port: ssh proto: tcp
# Allow OpenSSH. (Note that as ufw manages its own state, simply removing # a rule=allow task can leave those ports exposed. Either use delete=yes # or a separate state=reset task) - ufw: rule: allow name: OpenSSH
- name: Delete OpenSSH rule ufw: rule: allow name: OpenSSH delete: yes
- name: Deny all access to port 53 ufw: rule: deny port: '53'
- name: Allow port range 60000-61000 ufw: rule: allow port: 60000:61000 proto: tcp
- name: Allow all access to tcp port 80 ufw: rule: allow port: '80' proto: tcp
- name: Allow all access from RFC1918 networks to this host ufw: rule: allow src: '{{ item }}' loop: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16
- name: Deny access to udp port 514 from host 1.2.3.4 and include a comment ufw: rule: deny proto: udp src: 1.2.3.4 port: '514' comment: Block syslog
- name: Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 ufw: rule: allow interface: eth0 direction: in proto: udp src: 1.2.3.5 from_port: '5469' dest: 1.2.3.4 to_port: '5469'
# Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work. - name: Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host ufw: rule: deny proto: tcp src: 2001:db8::/32 port: '25'
- name: Deny all IPv6 traffic to tcp port 20 on this host # this should be the first IPv6 rule ufw: rule: deny proto: tcp port: '20' to_ip: "::" insert: 0 insert_relative_to: first-ipv6
- name: Deny all IPv4 traffic to tcp port 20 on this host # This should be the third to last IPv4 rule # (insert: -1 addresses the second to last IPv4 rule; # so the new rule will be inserted before the second # to last IPv4 rule, and will be come the third to last # IPv4 rule.) ufw: rule: deny proto: tcp port: '20' to_ip: "::" insert: -1 insert_relative_to: last-ipv4
# Can be used to further restrict a global FORWARD policy set to allow - name: Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24 ufw: rule: deny route: yes src: 1.2.3.0/24 dest: 4.5.6.0/24
log: description: - Log new connections matched to this rule type: bool name: aliases: - app description: - Use profile located in C(/etc/ufw/applications.d). type: str rule: choices: - allow - deny - limit - reject description: - Add firewall rule type: str proto: aliases: - protocol choices: - any - tcp - udp - ipv6 - esp - ah - gre - igmp description: - TCP/IP protocol. type: str route: description: - Apply the rule to routed/forwarded packets. type: bool state: choices: - disabled - enabled - reloaded - reset description: - C(enabled) reloads firewall and enables firewall on boot. - C(disabled) unloads firewall and disables firewall on boot. - C(reloaded) reloads firewall. - C(reset) disables and resets firewall to installation defaults. type: str to_ip: aliases: - dest - to default: any description: - Destination IP address. type: str delete: description: - Delete rule. type: bool insert: description: - Insert the corresponding rule as rule number NUM. - Note that ufw numbers rules starting with 1. type: int comment: description: - Add a comment to the rule. Requires UFW version >=0.35. type: str default: aliases: - policy choices: - allow - deny - reject description: - Change the default policy for incoming or outgoing traffic. type: str from_ip: aliases: - from - src default: any description: - Source IP address. type: str logging: choices: - 'on' - 'off' - low - medium - high - full description: - Toggles logging. Logged packets use the LOG_KERN syslog facility. type: str to_port: aliases: - port description: - Destination port. type: str direction: choices: - in - incoming - out - outgoing - routed description: - Select direction for a rule or default policy command. Mutually exclusive with I(interface_in) and I(interface_out). type: str from_port: description: - Source port. type: str interface: aliases: - if description: - Specify interface for the rule. The direction (in or out) used for the interface depends on the value of I(direction). See I(interface_in) and I(interface_out) for routed rules that needs to supply both an input and output interface. Mutually exclusive with I(interface_in) and I(interface_out). type: str interface_in: aliases: - if_in description: - Specify input interface for the rule. This is mutually exclusive with I(direction) and I(interface). However, it is compatible with I(interface_out) for routed rules. type: str version_added: 0.2.0 version_added_collection: community.general interface_out: aliases: - if_out description: - Specify output interface for the rule. This is mutually exclusive with I(direction) and I(interface). However, it is compatible with I(interface_in) for routed rules. type: str version_added: 0.2.0 version_added_collection: community.general insert_relative_to: choices: - first-ipv4 - first-ipv6 - last-ipv4 - last-ipv6 - zero default: zero description: - Allows to interpret the index in I(insert) relative to a position. - C(zero) interprets the rule number as an absolute index (i.e. 1 is the first rule). - C(first-ipv4) interprets the rule number relative to the index of the first IPv4 rule, or relative to the position where the first IPv4 rule would be if there is currently none. - C(last-ipv4) interprets the rule number relative to the index of the last IPv4 rule, or relative to the position where the last IPv4 rule would be if there is currently none. - C(first-ipv6) interprets the rule number relative to the index of the first IPv6 rule, or relative to the position where the first IPv6 rule would be if there is currently none. - C(last-ipv6) interprets the rule number relative to the index of the last IPv6 rule, or relative to the position where the last IPv6 rule would be if there is currently none. type: str