weareinteractive / ansible-ufw Goto Github PK
View Code? Open in Web Editor NEWAnsible role which installs and configures ufw
License: MIT License
Ansible role which installs and configures ufw
License: MIT License
Hi, this role is not idempotent.
I noticed that when explicitly specifying the protocol for a rule: e.g. 'protocol': 'udp'
or 'protocol': 'tcp'
, the item will always be in the changed
state when running my playbook a second time.
No matter which rules I set, I always get that all traffic to any port is enabled by default.
- name: weareinteractive.ufw
vars:
ufw_enabled: true
ufw_ipv6: "yes"
ufw_rules:
- logging: "full"
- port: 22
rule: allow
- port: 80
rule: allow
- port: 443
rule: allow
ufw_manage_config: true
user@host:~# ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
user@host:~# ufw status
Status: active
To Action From
-- ------ ----
Anywhere ALLOW Anywhere
Anywhere (v6) ALLOW Anywhere (v6)
Would you be able to get the 1.5 release to https://galaxy.ansible.com/franklinkim/ufw/?
Using the version 1.4, I'm running into the deprecation warnings that it looks like you fixed.
Thanks!
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "apt-get update", "failed": true, "msg": "[Errno 2] No such file or directory", "rc": 2}
Could be solved by defining
- include: Debian.yml
when: ansible_os_family == 'Debian'
in main and moving the code to Debian.yml
Hello!!
Sorry. This is my first time on this site and my English is bad
The change below allows you to use ipv4 / ipv6 and unique hostname
ansible-ufw/tasks/config.yml
Change the line:
from_ip: "{{ item.from_ip | default(omit) }}"
from_ip: "{{ item.from_ip | default(omit) if item.from_ip is not defined or item.from_ip|ipaddr else lookup('dig', item.from_ip| default(omit), 'qtype=A') }}"
The same functionality can be added for "to_ip:"
it is necessary to install: pip install dnspython
https://docs.ansible.com/ansible/latest/plugins/lookup/dig.html
ufw_rules:
- { port: 22, rule: allow, comment: 'Allow SSH' }
- { port: 80, rule: allow }
- { from_ip: '127.0.0.1/8', comment: 'Allow localhost' }
- { from_ip: 'www.redhat.com.br', comment: 'Allow localhost' }
Maybe I am just missing it. But how would you define a port range?
ufw allow 1000:2000/tcp
See above:
Relevant code block in config.yml
I am using this role, thanks for making it.
Wanted to run a situation by you and get your thoughts and possibly ask for a feature.
Question: How to let a host be in multiple roles, each of which configures its own set of ufw_rules? Today with the reset functionality, rules get clobbered if rules get re-executed because of the "reset" block in tasks/main.yml
Let's say I have 3 groups: load balancer, db, and app server. Each group has its own ufw_rules.
It all works if each group has its own server(s). But if a host is placed in multple groups, ufw setup does not work. This is because of the "reset" code in the main task.
I don't want to turn on 'hash_behaviour=merge' because that seems ...undesirable. See the gotcha section of this article: https://dantehranian.wordpress.com/2015/08/10/automating-linux-security-best-practices-with-ansible/
I hacked the role locally to avoid doing the reset. Not ideal. Perhaps the first time through it could do a reset but subsequent executions could skip the reset.
Any thoughts?
Thanks,
Perry
Hello,
Currently port 22 is hard coded:
ufw_rules: [{ port: 22, rule: allow }]
Whenever the host port is not 22... this variable must be redefined.
I suggest making it more flexible by changing the rule to:
ufw_rules: [{ port: '{% if ansible_port is defined %}{{ ansible_port }}{% else %}22{% endif %}', rule: allow }]
I'm not sure the jinja2 syntax is correct but the idea is there.
If this is considered a good idea I can implement it a issue a PR.
Thanks!
I'm getting this after installing the galaxy role just now.
ERROR! couldn't resolve module/action 'community.general.ufw'. This often indicates a misspelling, missing collection, or incorrect module path.
The error appears to be in '/home/mdf/.ansible/roles/weareinteractive.ufw/tasks/service.yml': line 3, column 3, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: Configuring service state
^ here
My ansible is v2.95 on Ubuntu Focal
Hello,
this is probably not an issue, possible that I'm not using it correctly.
In https://github.com/weareinteractive/ansible-ufw/blob/master/tasks/config.yml there is an option:
insert: "{{ item.insert | default(omit) }}"
I need to put particular rule at the end, like several ssh allow, at the end deny for others.
If I put rule at the end, it is still randomly put, if I try to do something like:
- { insert:10, port: 22, rule: deny, proto: tcp, from_ip: any, comment: 'deny other ssh' }
this is incorrect syntax.
So, I don't get how to put particular rule at the end.
Otherwise, this ansible role is just fine.
Thank you,
Frank
although
ufw_rules:
- { port: 22, rule: allow }
- { port: "{{ rabbitmq_port }}", rule: allow }
- { port: "{{ sensu_server_uchiwa_port }}", rule: allow }
has been defined, this role has closed all ports on my server
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.