ufw
ansible-ufw
ansible-ufw provides a high-level, service-based interface for configuring the Uncomplicated Firewall (UFW).
Requirements
ansible-ufw requires:
- Ansible 1.9+
- Debian, Ubuntu, or other distribution providing the UFW package
Installation
Install from Ansible Galaxy.
ansible-galaxy install benwebber.ufw
Usage
ansible-ufw provides atomic service firewall definitions that allow you to build a host's firewall iteratively.
For example, to allow Redis connections on a private interface:
- roles:
# Install UFW and configure the base policy. Include `benwebber.ufw` with no parameters.
- benwebber.ufw
# Open Redis (6379/tcp) on eth1.
- role: benwebber.ufw
service: redis
interfaces:
- eth1
When you apply the roles above, you'll see the following output:
TASK: [benwebber.ufw | install ufw] *****************************************************
ok: [redis1.example.org]
TASK: [benwebber.ufw | configure ufw logging] *******************************************
ok: [redis1.example.org]
TASK: [benwebber.ufw | set base ufw policy] *********************************************
ok: [redis1.example.org]
TASK: [benwebber.ufw | open 22/tcp ssh] *************************************************
ok: [redis1.example.org] => (item=eth0)
TASK: [benwebber.ufw | open 6379/tcp redis] *********************************************
ok: [redis1.example.org] => (item=eth1)
See tasks/services/
for included services. Pull requests gladly accepted.
Assumptions
ansible-ufw makes the following assumptions:
- Hosts deny all incoming traffic by default.
- The default public interface is
eth0
. - SSH should be available on the default public interface.
All assumptions can be overridden by local variables.
Services
Examples
Install UFW and configure the base policy.
- roles:
- benwebber.ufw
Allow SSH traffic on the default interface (eth0
). This task is part of the base policy.
- roles:
- benwebber.ufw
- role: benwebber.ufw
service: ssh
Allow HTTP traffic on multiple interfaces.
- roles:
- benwebber.ufw
- role: benwebber.ufw
service: http
interfaces:
- eth0
- eth1
Deny DNS traffic on the default interface (eth0
).
- roles:
- benwebber.ufw
- role: benwebber.ufw
service: domain
delete: true
Create a custom rule using the special local
service.
- roles:
- benwebber.ufw
- role: benwebber.ufw
service: local
port: 24816
proto: udp
interfaces:
- eth1
Role variables
The following variable defaults are defined in defaults/main.yml
. The default values are shown in brackets.
ufw_default_direction
default direction to secure (
incoming
)ufw_default_policy
default traffic policy (
deny
)ufw_default_state
default firewall state (
enabled
)ufw_interfaces
list of default interfaces to control (
['eth0']
)ufw_logging
whether firewall logging is enabled, and at what level (
off
)ufw_open_ssh
whether to open SSH on the default interface by default (
true
)ufw_service_default_direction
default direction to secure for services (
in
)ufw_service_default_rule
default rule to apply to services (
allow
)
See the ufw module documentation for more details.
Contributing
Please feel free to submit pull requests for new services or general improvements.
License
MIT
ansible-galaxy install benwebber/ansible-ufw