ufw - Manage firewall with UFW
New in version 1.6.
Synopsis
- Manage firewall with UFW.
Requirements (on host that executes module)
-
ufw
package
Options
parameter | required | default | choices | comments |
---|---|---|---|---|
comment (added in 2.4)
| no | Add a comment to the rule. Requires UFW version >=0.35. | ||
delete | no |
| Delete rule. | |
direction | no |
| Select direction for a rule or default policy command. | |
from_ip | no | any | Source IP address. aliases: from, src | |
from_port | no | Source port. | ||
insert | no | Insert the corresponding rule as rule number NUM | ||
interface | no | Specify interface for rule. aliases: if | ||
log | no |
| Log new connections matched to this rule | |
logging | no |
| Toggles logging. Logged packets use the LOG_KERN syslog facility. | |
name | no | Use profile located in /etc/ufw/applications.d
aliases: app | ||
policy | no |
| Change the default policy for incoming or outgoing traffic. aliases: default | |
proto | no |
| TCP/IP protocol. | |
route | no |
| Apply the rule to routed/forwarded packets. | |
rule | no |
| Add firewall rule | |
state | no |
| enabled reloads firewall and enables firewall on boot.disabled unloads firewall and disables firewall on boot.reloaded reloads firewall.reset disables and resets firewall to installation defaults. | |
to_ip | no | any | Destination IP address. aliases: to, dest | |
to_port | no | Destination port. aliases: port |
Examples
# Allow everything and enable UFW
- ufw:
state: enabled
policy: allow
# Set logging
- ufw:
logging: on
# Sometimes it is desirable to let the sender know when traffic is
# being denied, rather than simply ignoring it. In these cases, use
# reject instead of deny. In addition, log rejected connections:
- ufw:
rule: reject
port: auth
log: yes
# ufw supports connection rate limiting, which is useful for protecting
# against brute-force login attacks. ufw will deny connections if an IP
# address has attempted to initiate 6 or more connections in the last
# 30 seconds. See http://www.debian-administration.org/articles/187
# for details. Typical usage is:
- ufw:
rule: limit
port: ssh
proto: tcp
# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
# a rule=allow task can leave those ports exposed. Either use delete=yes
# or a separate state=reset task)
- ufw:
rule: allow
name: OpenSSH
# Delete OpenSSH rule
- ufw:
rule: allow
name: OpenSSH
delete: yes
# Deny all access to port 53:
- ufw:
rule: deny
port: 53
# Allow port range 60000-61000
- ufw:
rule: allow
port: '60000:61000'
# Allow all access to tcp port 80:
- ufw:
rule: allow
port: 80
proto: tcp
# Allow all access from RFC1918 networks to this host:
- ufw:
rule: allow
src: '{{ item }}'
with_items:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
# Deny access to udp port 514 from host 1.2.3.4 and include a comment:
- ufw:
rule: deny
proto: udp
src: 1.2.3.4
port: 514
comment: "Block syslog"
# Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
- ufw:
rule: allow
interface: eth0
direction: in
proto: udp
src: 1.2.3.5
from_port: 5469
dest: 1.2.3.4
to_port: 5469
# Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host.
# Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
- ufw:
rule: deny
proto: tcp
src: '2001:db8::/32'
port: 25
# Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24.
# Can be used to further restrict a global FORWARD policy set to allow
- ufw:
rule: deny
route: yes
src: 1.2.3.0/24
dest: 4.5.6.0/24
Notes
Note
- See
man ufw
for more examples.
Status
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.4/ufw_module.html