Comments (8)
@petarGitNik To my understanding, aliasing can only happen at the community.general.ufw level. Your role is "forging" the parameters set for community.general.ufw based on your roles variable. When setting port
but not port_to
you are calling the underneath module with neither port
nor port_to
which means the module's default (any) is assumed.
Raising ANSIBLE_VERBOSITY clearly shows how the mapping happens when setting an allow rule for port: '80'
:
changed: [default] => (item={u'port': u'80', u'rule': u'allow', u'proto': u'tcp'}) => {"ansible_loop_var": "item", "changed": true, "commands": ["/usr/sbin/ufw status verbose", "/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules", "/usr/sbin/ufw --version", "/usr/sbin/ufw allow from any to any proto tcp", "/usr/sbin/ufw status verbose", "/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules"], "item": {"port": "80", "proto": "tcp", "rule": "allow"}, "msg": "Status: active\nLogging: on (full)\nDefault: deny (incoming), allow (outgoing), disabled (routed)\nNew profiles: skip\n\nTo Action From\n-- ------ ----\nAnywhere/tcp ALLOW IN Anywhere/tcp \nAnywhere/tcp (v6) ALLOW IN Anywhere/tcp (v6)"}
from ansible-ufw.
Seeing this here as well... My guess is the root cause being a missing "mapping" of the "port" parameter in https://github.com/weareinteractive/ansible-ufw/blob/master/tasks/manage.yml. I'm working on a PR to hopefully fix the issue.
from ansible-ufw.
@gizero That's strange, I thought that port
parameter does not need to be explicitly added, since it is alias for the to_port
parameter in the underlying module. I've changed in my playbook port
to to_port
and resolved the issue. However, I'm not sure anymore if this is a bug, or how the ufw module is supposed to work now.
from ansible-ufw.
Well, the fix in https://github.com/gizero/ansible-ufw/tree/fix-port-parameter-mapping shows that adding port
to the list of the arguments that end up being mapped into the underlying module solves the issue @petarGitNik raised. Nevertheless the same applies to other aliases community.general.ufw
supports. Would be nice if @franklinkim can comment on its original intention here. I don't see it explicitly stated in the README
, but looks like the idea is to expose the same exact syntax that community.general.ufw
supports via the ufw_rules
variable. If this is the case, then the same fix must be applied to every aliases the community module already supports. That said, even though I'm not aware of a better way to build the set of parameters for community.general.ufw
, I can see how this pattern can expose the role to similar issues in the future, even in the case of non breaking changes in the modules API.
from ansible-ufw.
Hi, as @gizero correctly stated, this role exposes the community.general.ufw
module to manage the rules. I didn't pass through the aliases since I think you should use the explicit variable names. I didn't update them myself though on my way to version 2.x, my bad. I updated the examples and added a reference to the module documentation in 2.0.1.
from ansible-ufw.
Ok, fair enough. That's your choice which options of the upstream module to support. Good to have documentation fixed accordingly. Already in master, but you probably referenced the wrong issue in commit 9baae35. I expected this one to be mentioned instead of #25. Anyway I think this issue can be closed as well. Thanks.
from ansible-ufw.
@gizero right, wrong reference. Thanks for the notice.
from ansible-ufw.
I can't use the 2.x branch because my ansible is old (v2.9.27), does this work in the 1.10.0 version?
These are my vars in my playbook:
ufw_rules:
# Set loggin
- logging: "full"
# Allow OpenSSH
- rule: allow
to_port: 22
# Allow all access to tcp port 80
- rule: allow
to_port: '80'
proto: tcp
No matter what I try there are the rules the are created in my server (see how rule 1 allows everything, so the rest rules are useless)
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN Anywhere
[ 2] 22 ALLOW IN Anywhere
[ 3] 80/tcp ALLOW IN Anywhere
[ 4] Anywhere (v6) ALLOW IN Anywhere (v6)
[ 5] 22 (v6) ALLOW IN Anywhere (v6)
[ 6] 80/tcp (v6) ALLOW IN Anywhere (v6)
Can I block the rest of the traffic by default somehow?
from ansible-ufw.
Related Issues (15)
- Port Range HOT 2
- UFW applications don't allow for whitelisting IPs HOT 1
- Idempotence issues HOT 2
- Idempotence issue when explicitly setting a protocol HOT 1
- Use ansible_port if defined. If not, fallback to port 22 HOT 2
- Rule sequence HOT 1
- suggestion HOT 1
- ERROR! couldn't resolve module/action 'community.general.ufw' HOT 10
- Push 1.5 to ansible galaxy HOT 2
- Make reset configurable? HOT 4
- allow port 22 by default HOT 1
- 1.5.2 not available on galaxy HOT 1
- ensure that code only runs on ubuntu systems
- test that checks whether port is really open HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-ufw.