ufw - Manage firewall with UFW
New in version 1.6.
Synopsis
- Manage firewall with UFW.
Requirements
The below requirements are needed on the host that executes this module.
-
ufw
package
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
comment (added in 2.4) | Add a comment to the rule. Requires UFW version >=0.35. | |
delete |
| Delete rule. |
direction |
| Select direction for a rule or default policy command. |
from_ip | Default: any | Source IP address. aliases: from, src |
from_port | Source port. | |
insert | Insert the corresponding rule as rule number NUM | |
interface | Specify interface for rule. aliases: if | |
log |
| Log new connections matched to this rule |
logging |
| Toggles logging. Logged packets use the LOG_KERN syslog facility. |
name | Use profile located in /etc/ufw/applications.d .aliases: app | |
policy |
| Change the default policy for incoming or outgoing traffic. aliases: default |
proto |
| TCP/IP protocol. |
route |
| Apply the rule to routed/forwarded packets. |
rule |
| Add firewall rule |
state |
| enabled reloads firewall and enables firewall on boot.disabled unloads firewall and disables firewall on boot.reloaded reloads firewall.reset disables and resets firewall to installation defaults. |
to_ip | Default: any | Destination IP address. aliases: dest, to |
to_port | Destination port. aliases: port |
Notes
Note
- See
man ufw
for more examples.
Examples
- name: Allow everything and enable UFW ufw: state: enabled policy: allow - name: Set logging ufw: logging: on # Sometimes it is desirable to let the sender know when traffic is # being denied, rather than simply ignoring it. In these cases, use # reject instead of deny. In addition, log rejected connections: - ufw: rule: reject port: auth log: yes # ufw supports connection rate limiting, which is useful for protecting # against brute-force login attacks. ufw will deny connections if an IP # address has attempted to initiate 6 or more connections in the last # 30 seconds. See http://www.debian-administration.org/articles/187 # for details. Typical usage is: - ufw: rule: limit port: ssh proto: tcp # Allow OpenSSH. (Note that as ufw manages its own state, simply removing # a rule=allow task can leave those ports exposed. Either use delete=yes # or a separate state=reset task) - ufw: rule: allow name: OpenSSH - name: Delete OpenSSH rule ufw: rule: allow name: OpenSSH delete: yes - name: Deny all access to port 53 ufw: rule: deny port: 53 - name: Allow port range 60000-61000 ufw: rule: allow port: 60000:61000 - name: Allow all access to tcp port 80 ufw: rule: allow port: 80 proto: tcp - name: Allow all access from RFC1918 networks to this host ufw: rule: allow src: '{{ item }}' with_items: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - name: Deny access to udp port 514 from host 1.2.3.4 and include a comment ufw: rule: deny proto: udp src: 1.2.3.4 port: 514 comment: Block syslog - name: Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 ufw: rule: allow interface: eth0 direction: in proto: udp src: 1.2.3.5 from_port: 5469 dest: 1.2.3.4 to_port: 5469 # Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work. - name: Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host ufw: rule: deny proto: tcp src: 2001:db8::/32 port: 25 # Can be used to further restrict a global FORWARD policy set to allow - name: Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24 ufw: rule: deny route: yes src: 1.2.3.0/24 dest: 4.5.6.0/24
Status
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
Author
- Aleksey Ovcharenko (@ovcharenko)
- Jarno Keskikangas (@pyykkis)
- Ahti Kitsik (@ahtik)
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.5/modules/ufw_module.html