Giter Site home page Giter Site logo

ansible-ufw's Introduction

ufw

CI Ansible Galaxy

Set up ufw in Debian-like systems.

Requirements

None

Variables

  • ufw_default_incoming_policy [default: deny]: Default (incoming) policy

  • ufw_default_outgoing_policy [default: allow]: Default (outgoing) policy

  • ufw_logging [default: off]: Log level

  • ufw_rules [default: see defaults/main.yml]: Rules to apply

  • ufw_etc_default_ipv6 [default: true]: Set to yes to apply rules to support IPv6

  • ufw_etc_default_default_input_policy [default: DROP]: Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if you change this you will most likely want to adjust your rules

  • ufw_etc_default_default_output_policy [default: ACCEPT]: Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if you change this you will most likely want to adjust your rules

  • ufw_etc_default_default_forward_policy [default: DROP]: Set the default forward policy to ACCEPT, DROP or REJECT. Please note that if you change this you will most likely want to adjust your rules

  • ufw_etc_default_default_application_policy [default: SKIP]: Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please note that setting this to ACCEPT may be a security risk

  • ufw_etc_default_manage_builtins [default: false]: By default, ufw only touches its own chains. Set this to 'yes' to have ufw manage the built-in chains too. Warning: setting this to 'yes' will break non-ufw managed firewall rules

  • ufw_etc_default_ipt_sysctl [default: /etc/ufw/sysctl.conf]: IPT backend, only enable if using iptables backend

  • ufw_etc_default_ipt_modules [default: [nf_conntrack_ftp, nf_nat_ftp, nf_conntrack_netbios_ns]]: Extra connection tracking modules to load. Complete list can be found in net/netfilter/Kconfig of your kernel source

Dependencies

None

Example

---
- hosts: all
  roles:
    - oefenweb.ufw
Allow ssh
- hosts: all
  roles:
    - oefenweb.ufw
  vars:
    ufw_rules:
      - rule: allow
        to_port: 22
        protocol: tcp
        comment: 'allow incoming connection on standard ssh port'
Allow all traffic on eth1
- hosts: all
  roles:
    - oefenweb.ufw
  vars:
    ufw_rules:
      - rule: allow
        interface: eth1
        to_port: ''
        comment: 'allow all traffic on interface eth1'
Allow snmp traffic from 1.2.3.4 on eth0
- hosts: all
  roles:
    - oefenweb.ufw
  vars:
    ufw_rules:
      - rule: allow
        interface: eth0
        from_ip: 1.2.3.4
        to_port: 161
        protocol: udp

License

MIT

Author Information

Mischa ter Smitten (based on work of weareinteractive)

Feedback, bug-reports, requests, ...

Are welcome!

ansible-ufw's People

Contributors

ahelal avatar kmonticolo avatar mvdriel avatar starcraft66 avatar tersmitten avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar

ansible-ufw's Issues

Need to wait for approx. 20 minutes on "start and enable service" step

TASK [oefenweb.ufw : logging] ***************************************************************************
Tuesday 09 April 2019 09:32:36 +0200 (0:00:18.628) 0:05:45.768 *********
ok: [host1]
ok: [host2]

TASK [oefenweb.ufw : start and enable service] **********************************************************
Tuesday 09 April 2019 09:32:40 +0200 (0:00:03.205) 0:05:48.974 *********
changed: [host1]
changed: [host2]

RUNNING HANDLER [oefenweb.ufw : reload ufw] *************************************************************
Tuesday 09 April 2019 09:51:27 +0200 (0:18:47.711) 0:24:36.685 *********
ok: [host1]
ok: [host2]

tagging

Hi,

Is it possible you use versioning/tagging so we can lock use in production ?

regards

Overriding the default rules with an empty rule set causes the role to fail

I don't think that machines which should allow no incoming traffic (I have some which are lxd containers, managed with https://docs.ansible.com/ansible/latest/modules/lxd_container_module.html instead of the typical ansible method of management over ssh) can be defined currently. e.g. like this:

ansible@myhost:~/testing$ cat group_vars/lxd_containers
---
# https://github.com/Oefenweb/ansible-ufw
ufw_rules:

results in a failure at runtime:

fatal: [lxdhost:testc1]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'None' has no attribute 'rule'\n\nThe error appears to be in '/home/ansible/.ansible/roles/oefenweb.ufw/tasks/configure.yml': line 54, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: configure | rules\n  ^ here\n"}

Recommended approach for "before.rules"?

How would you recommend this be done in Ansible? Could this package have support added for this?

sudo vim /etc/ufw/before.rules
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
+
+*nat
+:PREROUTING ACCEPT [0:0]
+-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080
+-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-port 8443
+COMMIT
+
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
sudo systemctl restart ufw

Loops not supported

This does not work (it will only honor the last ufw_rules block). Thus I just got locked out of a freshly provisioned server:

---
- import_playbook: security.yml hostlist=redis
- hosts: redis
  become: true
  become_user: root
  roles:
    # https://github.com/Oefenweb/ansible-ufw
    - role: ufw
      ufw_rules:
        - rule: allow
          to_port: 22
          protocol: tcp
          comment: ssh
  tasks:
    - name: loop over ufw
      include_role:
        name: ufw
      vars:
        ufw_rules:
          - rule: allow
            to_port: "{{ lookup('env', 'REDIS_PORT') }}"
            from_ip: "{{ item }}"
            protocol: tcp
            comment: "redis access from {{ item }}"
      with_items: "{{ groups['web'] + groups['api'] + groups['bull'] }}"

Add example for port forwarding

The examples in the readme are quite good, however there is not an example that features Port Forwarding.

It would be great for folks looking for a comprehensive ufw role that supports port forwarding to see one in the examples because it is not clear from the readme if this role supports it.

common rules parameters

I implemented some common rules parameters in my fork. e.g.
allow_dns_in: yes
Are you interested in this kind of notation or do you consider it out of scope ?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.