weareinteractive / ansible-ufw Goto Github PK

Hi, this role is not idempotent.

I noticed that when explicitly specifying the protocol for a rule: e.g. 'protocol': 'udp' or 'protocol': 'tcp', the item will always be in the changed state when running my playbook a second time.

Description

No matter which rules I set, I always get that all traffic to any port is enabled by default.

Versions

• Ansible: 2.10.2
• Python 3.9.0
• OS: Ubuntu 20.04
• ufw role: 2.0.0

Playbook

    - name: weareinteractive.ufw
      vars:
        ufw_enabled: true
        ufw_ipv6: "yes"
        ufw_rules:
          - logging: "full"
          - port: 22
            rule: allow
          - port: 80
            rule: allow
          - port: 443
            rule: allow
        ufw_manage_config: true

Expected results

user@host:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             

Actual results

user@host:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       Anywhere                  
Anywhere (v6)              ALLOW       Anywhere (v6)  

Would you be able to get the 1.5 release to https://galaxy.ansible.com/franklinkim/ufw/?

Using the version 1.4, I'm running into the deprecation warnings that it looks like you fixed.

Thanks!

fatal: [localhost]: FAILED! => {"changed": false, "cmd": "apt-get update", "failed": true, "msg": "[Errno 2] No such file or directory", "rc": 2}

Could be solved by defining

- include: Debian.yml
  when: ansible_os_family == 'Debian'

in main and moving the code to Debian.yml

Hello!!
Sorry. This is my first time on this site and my English is bad
The change below allows you to use ipv4 / ipv6 and unique hostname

ansible-ufw/tasks/config.yml

Change the line:

• name: Configuring port/protocol/network rules
  ufw:
  from_ip: "{{ item.from_ip | default(omit) }}"
  to
  from_ip: "{{ item.from_ip | default(omit) if item.from_ip is not defined or item.from_ip|ipaddr else lookup('dig', item.from_ip| default(omit), 'qtype=A') }}"

The same functionality can be added for "to_ip:"

it is necessary to install: pip install dnspython
https://docs.ansible.com/ansible/latest/plugins/lookup/dig.html

ufw_rules:
  - { port: 22, rule: allow, comment: 'Allow SSH' }
  - { port: 80, rule: allow }
  - { from_ip: '127.0.0.1/8', comment: 'Allow localhost' }
  - { from_ip: 'www.redhat.com.br', comment: 'Allow localhost' }

Maybe I am just missing it. But how would you define a port range?

ufw allow 1000:2000/tcp

See above:

Relevant code block in config.yml

• name: Configuring application rules
  ufw:
  name: "{{ item.name }}"
  rule: "{{ item.rule if item.rule is defined else 'allow' }}"
  with_items: "{{ ufw_applications }

I am using this role, thanks for making it.

Wanted to run a situation by you and get your thoughts and possibly ask for a feature.

Question: How to let a host be in multiple roles, each of which configures its own set of ufw_rules? Today with the reset functionality, rules get clobbered if rules get re-executed because of the "reset" block in tasks/main.yml

Let's say I have 3 groups: load balancer, db, and app server. Each group has its own ufw_rules.

It all works if each group has its own server(s). But if a host is placed in multple groups, ufw setup does not work. This is because of the "reset" code in the main task.

I don't want to turn on 'hash_behaviour=merge' because that seems ...undesirable. See the gotcha section of this article: https://dantehranian.wordpress.com/2015/08/10/automating-linux-security-best-practices-with-ansible/

I hacked the role locally to avoid doing the reset. Not ideal. Perhaps the first time through it could do a reset but subsequent executions could skip the reset.

Any thoughts?

Thanks,
Perry

Hello,

Currently port 22 is hard coded:

ufw_rules: [{ port: 22, rule: allow }]

Whenever the host port is not 22... this variable must be redefined.
I suggest making it more flexible by changing the rule to:

ufw_rules: [{ port: '{% if ansible_port is defined %}{{ ansible_port }}{% else %}22{% endif %}', rule: allow }]

I'm not sure the jinja2 syntax is correct but the idea is there.

If this is considered a good idea I can implement it a issue a PR.

Thanks!

I'm getting this after installing the galaxy role just now.

ERROR! couldn't resolve module/action 'community.general.ufw'. This often indicates a misspelling, missing collection, or incorrect module path.

The error appears to be in '/home/mdf/.ansible/roles/weareinteractive.ufw/tasks/service.yml': line 3, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


- name: Configuring service state
  ^ here

My ansible is v2.95 on Ubuntu Focal

Hello,
this is probably not an issue, possible that I'm not using it correctly.
In https://github.com/weareinteractive/ansible-ufw/blob/master/tasks/config.yml there is an option:
insert: "{{ item.insert | default(omit) }}"

I need to put particular rule at the end, like several ssh allow, at the end deny for others.
If I put rule at the end, it is still randomly put, if I try to do something like:
- { insert:10, port: 22, rule: deny, proto: tcp, from_ip: any, comment: 'deny other ssh' }
this is incorrect syntax.
So, I don't get how to put particular rule at the end.

Otherwise, this ansible role is just fine.
Thank you,
Frank

although

ufw_rules:
  - { port: 22, rule: allow }
  - { port: "{{ rabbitmq_port }}", rule: allow }
  - { port: "{{ sensu_server_uchiwa_port }}", rule: allow }

has been defined, this role has closed all ports on my server