Description

No matter which rules I set, I always get that all traffic to any port is enabled by default.

Versions

• Ansible: 2.10.2
• Python 3.9.0
• OS: Ubuntu 20.04
• ufw role: 2.0.0

Playbook

    - name: weareinteractive.ufw
      vars:
        ufw_enabled: true
        ufw_ipv6: "yes"
        ufw_rules:
          - logging: "full"
          - port: 22
            rule: allow
          - port: 80
            rule: allow
          - port: 443
            rule: allow
        ufw_manage_config: true

Expected results

user@host:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             

Actual results

user@host:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       Anywhere                  
Anywhere (v6)              ALLOW       Anywhere (v6)  

Maybe I am just missing it. But how would you define a port range?

ufw allow 1000:2000/tcp

Hello,
this is probably not an issue, possible that I'm not using it correctly.
In https://github.com/weareinteractive/ansible-ufw/blob/master/tasks/config.yml there is an option:
insert: "{{ item.insert | default(omit) }}"

I need to put particular rule at the end, like several ssh allow, at the end deny for others.
If I put rule at the end, it is still randomly put, if I try to do something like:
- { insert:10, port: 22, rule: deny, proto: tcp, from_ip: any, comment: 'deny other ssh' }
this is incorrect syntax.
So, I don't get how to put particular rule at the end.

Otherwise, this ansible role is just fine.
Thank you,
Frank

I noticed that when explicitly specifying the protocol for a rule: e.g. 'protocol': 'udp' or 'protocol': 'tcp', the item will always be in the changed state when running my playbook a second time.

I'm getting this after installing the galaxy role just now.

ERROR! couldn't resolve module/action 'community.general.ufw'. This often indicates a misspelling, missing collection, or incorrect module path.

The error appears to be in '/home/mdf/.ansible/roles/weareinteractive.ufw/tasks/service.yml': line 3, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


- name: Configuring service state
  ^ here

My ansible is v2.95 on Ubuntu Focal

I am using this role, thanks for making it.

Wanted to run a situation by you and get your thoughts and possibly ask for a feature.

Question: How to let a host be in multiple roles, each of which configures its own set of ufw_rules? Today with the reset functionality, rules get clobbered if rules get re-executed because of the "reset" block in tasks/main.yml

Let's say I have 3 groups: load balancer, db, and app server. Each group has its own ufw_rules.

It all works if each group has its own server(s). But if a host is placed in multple groups, ufw setup does not work. This is because of the "reset" code in the main task.

I don't want to turn on 'hash_behaviour=merge' because that seems ...undesirable. See the gotcha section of this article: https://dantehranian.wordpress.com/2015/08/10/automating-linux-security-best-practices-with-ansible/

I hacked the role locally to avoid doing the reset. Not ideal. Perhaps the first time through it could do a reset but subsequent executions could skip the reset.

Any thoughts?

Thanks,
Perry

See above:

Relevant code block in config.yml

• name: Configuring application rules
  ufw:
  name: "{{ item.name }}"
  rule: "{{ item.rule if item.rule is defined else 'allow' }}"
  with_items: "{{ ufw_applications }

Hi, this role is not idempotent.

although

ufw_rules:
  - { port: 22, rule: allow }
  - { port: "{{ rabbitmq_port }}", rule: allow }
  - { port: "{{ sensu_server_uchiwa_port }}", rule: allow }

has been defined, this role has closed all ports on my server

Would you be able to get the 1.5 release to https://galaxy.ansible.com/franklinkim/ufw/?

Using the version 1.4, I'm running into the deprecation warnings that it looks like you fixed.

Thanks!

Hello!!
Sorry. This is my first time on this site and my English is bad
The change below allows you to use ipv4 / ipv6 and unique hostname

ansible-ufw/tasks/config.yml

Change the line:

• name: Configuring port/protocol/network rules
  ufw:
  from_ip: "{{ item.from_ip | default(omit) }}"
  to
  from_ip: "{{ item.from_ip | default(omit) if item.from_ip is not defined or item.from_ip|ipaddr else lookup('dig', item.from_ip| default(omit), 'qtype=A') }}"

The same functionality can be added for "to_ip:"

it is necessary to install: pip install dnspython
https://docs.ansible.com/ansible/latest/plugins/lookup/dig.html

ufw_rules:
  - { port: 22, rule: allow, comment: 'Allow SSH' }
  - { port: 80, rule: allow }
  - { from_ip: '127.0.0.1/8', comment: 'Allow localhost' }
  - { from_ip: 'www.redhat.com.br', comment: 'Allow localhost' }

Hello,

Currently port 22 is hard coded:

ufw_rules: [{ port: 22, rule: allow }]

Whenever the host port is not 22... this variable must be redefined.
I suggest making it more flexible by changing the rule to:

ufw_rules: [{ port: '{% if ansible_port is defined %}{{ ansible_port }}{% else %}22{% endif %}', rule: allow }]

I'm not sure the jinja2 syntax is correct but the idea is there.

If this is considered a good idea I can implement it a issue a PR.

Thanks!

fatal: [localhost]: FAILED! => {"changed": false, "cmd": "apt-get update", "failed": true, "msg": "[Errno 2] No such file or directory", "rc": 2}

Could be solved by defining

- include: Debian.yml
  when: ansible_os_family == 'Debian'

in main and moving the code to Debian.yml