An Ansible role to configure the Ubuntu UFW - Uncomplicated Firewall on Debian and Ubuntu.
An example configuration to only allow SSH and web taffic on ports 80 and 443 using IPv4 and to deny all other traffic:
ufw: true
ufw_allow_rules:
- app: OpenSSH
- app: WWW Full
ufw_config:
- path: /etc/default/ufw
conf:
IPV6: "no"
ufw_default_policy_deny: trueNote that this role can't currently be used to delete rules, see the notes below for how to check and delete UFW and other iptables rules.
See the defaults/main.yml file for the default variables, the vars/main.yml file for the preset variables and the meta/argument_specs.yml file for the variable specification.
A boolean, when ufw is true the tasks in this role will be run.
A list of UFW allow rules, each item in the list must either have a app or port variable, additional optional variables are from_ip and proto, for example:
ufw_allow_rules:
- app: WWW Full
- port: 2222
proto: tcp
comment: SSHA string, the name of the app, it must match one of those listed using ufw app list.
An optional comment that is shown at the end of the rule line, this is appended after Ansible rule, for example:
ufw_allow_rules:
- port: 64896
proto: udp
comment: fooufw status
Status: active
To Action From
-- ------ ----
64896/udp ALLOW Anywhere # Ansible rule fooAn optional string to use with the from_ip parameter of the community.general.ufw module.
An optional string containing a port number or a range of ports seperated with a colon.
An optional list of UFW application profiles to create or edit in the /etc/ufw/applications.d/ directory, each item in the list requires a appfor the application name, title and file name if path is not specified, a desc for the applicatiion description and a ports string. See the application integration section of the UFW manpage and the following example:
ufw_apps:
- app: MariaDB
desc: The open source relational database.
ports: 3306/tcpWill generate a file at /etc/ufw/applications.d/mariadb wth the contents:
# Ansible managed
[MariaDB]
title=MariaDB
description=The open source relational database.
ports=3306/tcp
# vim: syntax=dosiniA required string, the application name, which is also used as the application title (note that if this role is used to edit existng apps they might have a title that doesn't match the app name.
A string, an optional application description, the title is used if a description is not provided and if neither is provide the application name is used.
A string, an optional full path to the application file, if one is not provided then the application name, lower cased and special characters removed. is used as the filename.
A string, a |-separated list of ports/protocols where the protocol is optional. A comma-separated list or a range (specified with 'start:end') may also be used to specify multiple ports, in which case the protocol is required, see the examples in the application integration section of the UFW manpage.
A optional list of INI configuration files and configuration to update, see the configuration files documentation below, each itm in the list requires a path and a conf dictionary. For example:
ufw_config:
- path: /etc/default/ufw
conf:
IPV6: "no"Will result in /etc/default/ufw containing:
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=noA string, the full path to the configuration file.
A dictionary, variables and values that should be present in the configuration file.
A optional list of UFW disallow rules, each item in the list must either have a app or port variable, additional optional variables are from_ip and proto.
A string, the name of the app, it must match one of those listed using ufw app list.
An optional comment that is shown at the end of the rule line.
An optional string to use with the from_ip parameter of the community.general.ufw module.
An optional string containing a port number or a range of ports seperated with a colon.
A boolean, when try set the default policy to deny connections.
A list of packages to install.
A boolean, verify variables that start with ufw_.
UFW configuration files that use the INI format can be created, deleted and updated using this role see the ufw-framework man page.
The /etc/default/ufw high level configuration file can be configured using an item in the ufw_config list, the existing config can be read as YAML using:
cat /etc/default/ufw | jc --ini -yp---
IPV6: yes
DEFAULT_INPUT_POLICY: DROP
DEFAULT_OUTPUT_POLICY: ACCEPT
DEFAULT_FORWARD_POLICY: DROP
DEFAULT_APPLICATION_POLICY: SKIP
MANAGE_BUILTINS: no
IPT_SYSCTL: /etc/ufw/sysctl.conf
IPT_MODULES: ''The /etc/ufw/sysctl.conf kernel network tunables file can be configured using an item in the ufw_config list, the existing config can be read as YAML using:
cat /etc/ufw/sysctl.conf | jc --ini -yp---
net/ipv4/conf/all/accept_redirects: '0'
net/ipv4/conf/default/accept_redirects: '0'
net/ipv6/conf/all/accept_redirects: '0'
net/ipv6/conf/default/accept_redirects: '0'
net/ipv4/icmp_echo_ignore_broadcasts: '1'
net/ipv4/icmp_ignore_bogus_error_responses: '1'
net/ipv4/icmp_echo_ignore_all: '0'
net/ipv4/conf/all/log_martians: '0'
net/ipv4/conf/default/log_martians: '0'The /etc/ufw/ufw.conf additional high level configuration file can be configured using an item in the ufw_config list, the existing config can be read as YAML using:
cat /etc/ufw/ufw.conf | jc --ini -yp---
ENABLED: no
LOGLEVEL: lowUFW application integration profiles in the /etc/ufw/applications.d/* directory can be configured using the ufw_apps list, the existing config can be read as YAML using:
cat /etc/ufw/applications.d/* | jc --ini -yp---
CUPS:
title: Common UNIX Printing System server
description: CUPS is a printing system with support for IPP, samba, lpd, and other protocols.
ports: '631'
mosh:
title: Mosh (mobile shell)
description: Mobile shell that supports roaming and intelligent local echo
ports: 60000:61000/udp
OpenSSH:
title: Secure shell server, an rshd replacement
description: OpenSSH is a free implementation of the Secure Shell protocol.
ports: 22/tcpUpdate UFW directly, deleting firewall rules:
ufw status numberedStatus: active
To Action From
-- ------ ----
[ 1] OpenSSH ALLOW IN Anywhere # Ansible rule
[ 2] WWW Full ALLOW IN Anywhere # Ansible rule
[ 3] Turnserver ALLOW IN Anywhere # Ansible rule
[ 4] WWW Cache ALLOW IN Anywhere # Ansible rule
[ 5] RabbitMQ ALLOW IN 127.0.0.1 # Ansible rule
[ 6] Munin ALLOW IN 81.95.52.37 # Ansible rule
[ 7] Icinga ALLOW IN 81.95.52.42 # Ansible rule
[ 8] MariaDB ALLOW IN 127.0.0.1 # Ansible rule
[ 9] Redis ALLOW IN 127.0.0.1 # Ansible rule
[10] Nextcloud Notify Push ALLOW IN 127.0.0.1 # Ansible rule
[11] WWW Cache ALLOW IN 127.0.0.1 # Ansible ruleufw delete 4Deleting:
allow 'WWW Cache' comment 'Ansible rule'
Proceed with operation (y|n)? y
Rule deletedufw status numberedStatus: active
To Action From
-- ------ ----
[ 1] OpenSSH ALLOW IN Anywhere # Ansible rule
[ 2] WWW Full ALLOW IN Anywhere # Ansible rule
[ 3] Turnserver ALLOW IN Anywhere # Ansible rule
[ 4] RabbitMQ ALLOW IN 127.0.0.1 # Ansible rule
[ 5] Munin ALLOW IN 81.95.52.37 # Ansible rule
[ 6] Icinga ALLOW IN 81.95.52.42 # Ansible rule
[ 7] MariaDB ALLOW IN 127.0.0.1 # Ansible rule
[ 8] Redis ALLOW IN 127.0.0.1 # Ansible rule
[ 9] Nextcloud Notify Push ALLOW IN 127.0.0.1 # Ansible rule
[10] WWW Cache ALLOW IN 127.0.0.1 # Ansible ruleList rules using iptables:
iptables -L -nDump, edit and restore using iptables:
iptables-save > /etc/iptables/rules.v4
vi /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4- docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html
- kellyjonbrazil.github.io/jc/docs/parsers/ufw
- wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
- wiki.ubuntu.com/UncomplicatedFirewall
The primary URL of this repo is https://git.coop/webarch/ufw however it is also mirrored to GitHub and available via Ansible Galaxy.
If you use this role please use a tagged release, see the release notes.
Copyright 2020-2024 Luke Murphy and Chris Croome, <chris@webarchitects.co.uk>.
This role is released under the same terms as Ansible itself, the GNU GPLv3.