ansibleguy.linux_ufw
DEPRECATED
Using UFW for automation doesn’t really make sense.
It adds unnecessary complexity when changing just one rule!
I don't think it’s a tool meant for automation.
Instead, I suggest using NFTables: ansibleguy.infra_nftables
Ansible Role - Uncomplicated Firewall (UFW)
This is an Ansible role to install and configure the software firewall 'UFW' on a Debian-based Linux server.
Tested On:
- Debian 11
Install
# Install the latest version
ansible-galaxy role install git+https://github.com/ansibleguy/linux_ufw
# Install from galaxy
ansible-galaxy install ansibleguy.linux_ufw
# Or install to a custom role path
ansible-galaxy install ansibleguy.linux_ufw --roles-path ./roles
# Install dependencies
ansible-galaxy install -r requirements.yml
Functionality
This Ansible role will perform the following:
Package Installation
- UFW
Configuration
Allows you to set rules in two modes
- Stateful (default)
- Keeps existing rules and modifies them based on the given state.
- Stateless
- Resets the rules each time before applying new ones.
- Stateful (default)
Checks if an SSH rule exists.
Info
Note: You can choose to enable or disable most features of this role.
For a complete list of options, check the default configuration in the main defaults-file.
Note: This role currently works only on Debian-based systems.
Warning: Not all settings/variables are checked for validity. Poor configurations may break the role!
Usage
Want a simple Ansible GUI? Check out my Ansible WebUI.
Configuration
Define the 'ufw_rules' dictionary as needed:
ufw_rules:
ruleShortName:
rule: 'allow' # defaults to 'allow' if empty
port: 80
proto: 'tcp'
log: 'no' # defaults to 'no' if empty
from_ip: 'any' # defaults to 'any' if empty
to_ip: 'any' # defaults to 'any' if empty
direction: 'in' # defaults to 'in' if empty
present: true # defaults to 'true' if empty; used for stateful rule checking
position: 2 # specify the rule's position in the ruleset
comment: 'Optional comment to replace the default'
Or use a more compact format:
ufw_rules: {
ruleShortName: {rule: 'allow', port: 80, proto: 'tcp', log: 'no', from_ip: 'any', to_ip: 'any', direction: 'in', state: 'present', position: 2, comment: 'Optional comment to replace the default'}
}
Execution
Run the playbook with:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml
The UFW task used is 'community.general.ufw'.
Example
Before Configuration:
guy@ansible:~$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 7424/tcp ALLOW IN Anywhere # Ansible managed - confusedService
[ 2] 7429/tcp ALLOW IN Anywhere (log) # Ansible managed - nothingImportant
Configuration:
ufw_rules:
# Incoming traffic settings
SecShöl:
port: 22
proto: 'tcp'
log: true
rule: 'limit'
RandomWebServer:
port: 8482
proto: 'tcp'
SecureLink:
port: 54038:54085
proto: 'udp'
log: true
from_ip: '192.168.194.0/28'
ipsecESP:
proto: 'esp'
from_ip: '10.10.10.1'
to_ip: '10.10.20.254'
ipsecIKE:
port: 500,4500
proto: 'udp'
from_ip: '10.10.10.1'
to_ip: '10.10.20.254'
# Outgoing traffic restrictions
denyNtpOutgoing:
port: 123
proto: 'udp'
rule: 'deny'
direction: 'out'
# Remove these rules:
confusedService:
port: 7424
proto: 'tcp'
state: 'absent'
nothingImportant:
port: 7429
proto: 'tcp'
log: true
present: false
Result After Configuration:
guy@ansible:~$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp LIMIT IN Anywhere (log) # Ansible managed - SecShöl
[ 2] 8482/tcp ALLOW IN Anywhere # Ansible managed - RandomWebServer
[ 3] 54038:54085/udp ALLOW IN 192.168.194.0/28 (log) # Ansible managed - SecureLink
[ 4] 10.10.20.254/esp ALLOW IN 10.10.10.1/esp # Ansible managed - ipsecESP
[ 5] 10.10.20.254 500,4500/udp ALLOW IN 10.10.10.1 # Ansible managed - ipsecIKE
[ 6] 123/udp DENY OUT Anywhere (out) # Ansible managed - denyNtpOutgoing
Role to install and configure ufw firewall-rules on a linux machine
ansible-galaxy install ansibleguy.linux_ufw