Firewall Ansible role for Debian/Ubuntu

Very simple firewall for Debian/Ubuntu with UFW.

It uses UFW default policies:

INPUT: DROP
OUTPUT: ACCEPT
FORWARD : ACCEPT

In this role, you manage "INPUT" chain. FORWARD/OUTPUT will be managed in further versions.

Do NOT use this role, if you manage your own firewall!

Do NOT forget to open your SSH port if you don't use firewall_auto_open_ssh!

Requirements

Ansible >= 2.11
Collections: community.general / ansible.netcommon

Role Variables

Common

firewall_open_tcp_ports: Input TCP open ports list
firewall_open_udp_ports: Input UDP open ports list

UFW Configuration

firewall_ipv6: Enable/disable IPv6 support (default is true)
firewall_reset: Reset all rules (it breaks idempotence!). Usefull when you want to clean and recreate all rules.
firewall_logging: iptables loglevel (values: on/off/low/medium/high/full, default is low)
firewall_modules: kernel modules list (useful when you need NAT+FTP). For now, you don't need to add modules (default is empty list)

Firewall

firewall_auto_open_ssh: auto open current SSH port (default: true)
firewall_whitelisted_hosts: whitelisted hosts (IP) list
firewall_blacklisted_hosts: backlisted hosts (IP) list
firewall_custom_rules: custom rule list (see bellow)

DNS

firewall_whitelisted_dns: whitelisted hosts (IPv4 & IPv6) list
firewall_blacklisted_dns: backlisted hosts (IPv4 & IPv6) list

Please note, DNS requests is done before insert UFW rules. You must not use this feature with a Dyn-DNS solution.

About custom rule

Custom rule is a hash. Check UFW module doc. Please note routed feature is available with UFW 0.34+ (Stretch).

Dependencies

None.

Example Playbook

Simple webserver

- hosts: web-servers
  vars:
    firewall_open_tcp_ports: [80, 443]
  roles:
     - { role: HanXHX.firewall }

Simple MySQL/MariaDB server

Only webservers (10.0.15.0/24) and whitelisted hosts (10.255.0.12) can connect to MySQL:

- hosts: mysql-servers
  vars:
    firewall_whitelisted_hosts:
      - '10.255.0.12'
    firewall_custom_rules:
      - proto: 'tcp'
        port: '3306'
        host: '10.0.15.0/24'
        policy: 'allow'
  roles:
     - { role: HanXHX.firewall }

License

GPLv2

Donation

If this code helped you, or if you’ve used them for your projects, feel free to buy me some 🍻

Bitcoin: 1BQwhBeszzWbUTyK4aUyq3SRg7rBSHcEQn
Ethereum: 63abe6b2648fd892816d87a31e3d9d4365a737b5
Litecoin: LeNDw34zQLX84VvhCGADNvHMEgb5QyFXyD
Monero: 45wbf7VdQAZS5EWUrPhen7Wo4hy7Pa7c7ZBdaWQSRowtd3CZ5vpVw5nTPphTuqVQrnYZC72FXDYyfP31uJmfSQ6qRXFy3bQ

No crypto-currency? ⭐ the project is also a way of saying thank you! 😎

Name		Name	Last commit message	Last commit date
Latest commit History 41 Commits
defaults		defaults
handlers		handlers
meta		meta
tasks		tasks
tests		tests
.ansible-lint		.ansible-lint
.gitignore		.gitignore
.travis.yml		.travis.yml
.yamllint.yml		.yamllint.yml
LICENSE		LICENSE
README.md		README.md
Vagrantfile		Vagrantfile

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Firewall Ansible role for Debian/Ubuntu

Requirements

Role Variables

Common

UFW Configuration

Firewall

DNS

About custom rule

Dependencies

Example Playbook

Simple webserver

Simple MySQL/MariaDB server

License

Donation

Author Information

About

Releases

Packages

Contributors 2

License

HanXHX/ansible-firewall

Folders and files

Latest commit

History

Repository files navigation

Firewall Ansible role for Debian/Ubuntu

Requirements

Role Variables

Common

UFW Configuration

Firewall

DNS

About custom rule

Dependencies

Example Playbook

Simple webserver

Simple MySQL/MariaDB server

License

Donation

Author Information

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 2

Packages