An Ansible role to configure the Ubuntu UFW - Uncomplicated Firewall on Debian and Ubuntu.
An example configuration to only allow SSH and web taffic on ports 80 and 443 using IPv4 and to deny all other traffic:
ufw: true
ufw_allow_rules:
- app: OpenSSH
- app: WWW Full
ufw_config:
- path: /etc/default/ufw
conf:
IPV6: "no"
ufw_default_policy_deny: true
Note that this role can't currently be used to delete rules, see the notes below for how to check and delete UFW and other iptables
rules.
See the defaults/main.yml file for the default variables, the vars/main.yml file for the preset variables and the meta/argument_specs.yml file for the variable specification.
A boolean, when ufw
is true
the tasks in this role will be run.
A list of UFW allow rules, each item in the list must either have a app
or port
variable, additional optional variables are from_ip
and proto
, for example:
ufw_allow_rules:
- app: WWW Full
- port: 2222
proto: tcp
comment: SSH
A string, the name of the app, it must match one of those listed using ufw app list
.
An optional comment that is shown at the end of the rule line, this is appended after Ansible rule
, for example:
ufw_allow_rules:
- port: 64896
proto: udp
comment: foo
ufw status
Status: active
To Action From
-- ------ ----
64896/udp ALLOW Anywhere # Ansible rule foo
An optional string to use with the from_ip
parameter of the community.general.ufw module.
An optional string containing a port number or a range of ports seperated with a colon.
An optional list of UFW application profiles to create or edit in the /etc/ufw/applications.d/
directory, each item in the list requires a app
for the application name, title and file name if path
is not specified, a desc
for the applicatiion description and a ports
string. See the application integration section of the UFW manpage and the following example:
ufw_apps:
- app: MariaDB
desc: The open source relational database.
ports: 3306/tcp
Will generate a file at /etc/ufw/applications.d/mariadb
wth the contents:
# Ansible managed
[MariaDB]
title=MariaDB
description=The open source relational database.
ports=3306/tcp
# vim: syntax=dosini
A required string, the application name, which is also used as the application title (note that if this role is used to edit existng apps they might have a title
that doesn't match the app
name.
A string, an optional application description, the title is used if a description is not provided and if neither is provide the application name is used.
A string, an optional full path to the application file, if one is not provided then the application name, lower cased and special characters removed. is used as the filename.
A string, a |
-separated list of ports/protocols where the protocol is optional. A comma-separated list or a range (specified with 'start:end') may also be used to specify multiple ports, in which case the protocol is required, see the examples in the application integration section of the UFW manpage.
A optional list of INI configuration files and configuration to update, see the configuration files documentation below, each itm in the list requires a path
and a conf
dictionary. For example:
ufw_config:
- path: /etc/default/ufw
conf:
IPV6: "no"
Will result in /etc/default/ufw
containing:
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no
A string, the full path to the configuration file.
A dictionary, variables and values that should be present in the configuration file.
A optional list of UFW disallow rules, each item in the list must either have a app
or port
variable, additional optional variables are from_ip
and proto
.
A string, the name of the app, it must match one of those listed using ufw app list
.
An optional comment that is shown at the end of the rule line.
An optional string to use with the from_ip
parameter of the community.general.ufw module.
An optional string containing a port number or a range of ports seperated with a colon.
A boolean, when try set the default policy to deny connections.
A list of packages to install.
A boolean, verify variables that start with ufw_
.
UFW configuration files that use the INI format can be created, deleted and updated using this role see the ufw-framework man page.
The /etc/default/ufw
high level configuration file can be configured using an item in the ufw_config
list, the existing config can be read as YAML using:
cat /etc/default/ufw | jc --ini -yp
---
IPV6: yes
DEFAULT_INPUT_POLICY: DROP
DEFAULT_OUTPUT_POLICY: ACCEPT
DEFAULT_FORWARD_POLICY: DROP
DEFAULT_APPLICATION_POLICY: SKIP
MANAGE_BUILTINS: no
IPT_SYSCTL: /etc/ufw/sysctl.conf
IPT_MODULES: ''
The /etc/ufw/sysctl.conf
kernel network tunables file can be configured using an item in the ufw_config
list, the existing config can be read as YAML using:
cat /etc/ufw/sysctl.conf | jc --ini -yp
---
net/ipv4/conf/all/accept_redirects: '0'
net/ipv4/conf/default/accept_redirects: '0'
net/ipv6/conf/all/accept_redirects: '0'
net/ipv6/conf/default/accept_redirects: '0'
net/ipv4/icmp_echo_ignore_broadcasts: '1'
net/ipv4/icmp_ignore_bogus_error_responses: '1'
net/ipv4/icmp_echo_ignore_all: '0'
net/ipv4/conf/all/log_martians: '0'
net/ipv4/conf/default/log_martians: '0'
The /etc/ufw/ufw.conf
additional high level configuration file can be configured using an item in the ufw_config
list, the existing config can be read as YAML using:
cat /etc/ufw/ufw.conf | jc --ini -yp
---
ENABLED: no
LOGLEVEL: low
UFW application integration profiles in the /etc/ufw/applications.d/*
directory can be configured using the ufw_apps
list, the existing config can be read as YAML using:
cat /etc/ufw/applications.d/* | jc --ini -yp
---
CUPS:
title: Common UNIX Printing System server
description: CUPS is a printing system with support for IPP, samba, lpd, and other protocols.
ports: '631'
mosh:
title: Mosh (mobile shell)
description: Mobile shell that supports roaming and intelligent local echo
ports: 60000:61000/udp
OpenSSH:
title: Secure shell server, an rshd replacement
description: OpenSSH is a free implementation of the Secure Shell protocol.
ports: 22/tcp
Update UFW directly, deleting firewall rules:
ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] OpenSSH ALLOW IN Anywhere # Ansible rule
[ 2] WWW Full ALLOW IN Anywhere # Ansible rule
[ 3] Turnserver ALLOW IN Anywhere # Ansible rule
[ 4] WWW Cache ALLOW IN Anywhere # Ansible rule
[ 5] RabbitMQ ALLOW IN 127.0.0.1 # Ansible rule
[ 6] Munin ALLOW IN 81.95.52.37 # Ansible rule
[ 7] Icinga ALLOW IN 81.95.52.42 # Ansible rule
[ 8] MariaDB ALLOW IN 127.0.0.1 # Ansible rule
[ 9] Redis ALLOW IN 127.0.0.1 # Ansible rule
[10] Nextcloud Notify Push ALLOW IN 127.0.0.1 # Ansible rule
[11] WWW Cache ALLOW IN 127.0.0.1 # Ansible rule
ufw delete 4
Deleting:
allow 'WWW Cache' comment 'Ansible rule'
Proceed with operation (y|n)? y
Rule deleted
ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] OpenSSH ALLOW IN Anywhere # Ansible rule
[ 2] WWW Full ALLOW IN Anywhere # Ansible rule
[ 3] Turnserver ALLOW IN Anywhere # Ansible rule
[ 4] RabbitMQ ALLOW IN 127.0.0.1 # Ansible rule
[ 5] Munin ALLOW IN 81.95.52.37 # Ansible rule
[ 6] Icinga ALLOW IN 81.95.52.42 # Ansible rule
[ 7] MariaDB ALLOW IN 127.0.0.1 # Ansible rule
[ 8] Redis ALLOW IN 127.0.0.1 # Ansible rule
[ 9] Nextcloud Notify Push ALLOW IN 127.0.0.1 # Ansible rule
[10] WWW Cache ALLOW IN 127.0.0.1 # Ansible rule
List rules using iptables
:
iptables -L -n
Dump, edit and restore using iptables
:
iptables-save > /etc/iptables/rules.v4
vi /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
- docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html
- kellyjonbrazil.github.io/jc/docs/parsers/ufw
- wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
- wiki.ubuntu.com/UncomplicatedFirewall
The primary URL of this repo is https://git.coop/webarch/ufw
however it is also mirrored to GitHub and available via Ansible Galaxy.
If you use this role please use a tagged release, see the release notes.
Copyright 2020-2024 Luke Murphy and Chris Croome, <chris@webarchitects.co.uk>.
This role is released under the same terms as Ansible itself, the GNU GPLv3.