Documentation

ufw - Manage firewall with UFW

New in version 1.6.

Synopsis

  • Manage firewall with UFW.

Options

parameter required default choices comments
delete
no
  • yes
  • no
Delete rule.
direction
no
  • in
  • out
  • incoming
  • outgoing
  • routed
Select direction for a rule or default policy command.
from_ip
no any
Source IP address.

aliases: from, src
from_port
no
Source port.
insert
no
Insert the corresponding rule as rule number NUM
interface
no
Specify interface for rule.

aliases: if
log
no
  • yes
  • no
Log new connections matched to this rule
logging
no
  • on
  • off
  • low
  • medium
  • high
  • full
Toggles logging. Logged packets use the LOG_KERN syslog facility.
name
no
Use profile located in /etc/ufw/applications.d

aliases: app
policy
no
  • allow
  • deny
  • reject
Change the default policy for incoming or outgoing traffic.

aliases: default
proto
no
  • any
  • tcp
  • udp
  • ipv6
  • esp
  • ah
TCP/IP protocol.
route
no
  • yes
  • no
Apply the rule to routed/forwarded packets.
rule
no
  • allow
  • deny
  • reject
  • limit
Add firewall rule
state
no
  • enabled
  • disabled
  • reloaded
  • reset
enabled reloads firewall and enables firewall on boot.
disabled unloads firewall and disables firewall on boot.
reloaded reloads firewall.
reset disables and resets firewall to installation defaults.
to_ip
no any
Destination IP address.

aliases: to, dest
to_port
no
Destination port.

aliases: port

Examples

# Allow everything and enable UFW
- ufw:
    state: enabled
    policy: allow

# Set logging
- ufw:
    logging: on

# Sometimes it is desirable to let the sender know when traffic is
# being denied, rather than simply ignoring it. In these cases, use
# reject instead of deny. In addition, log rejected connections:
- ufw:
    rule: reject
    port: auth
    log: yes

# ufw supports connection rate limiting, which is useful for protecting
# against brute-force login attacks. ufw will deny connections if an IP
# address has attempted to initiate 6 or more connections in the last
# 30 seconds. See  http://www.debian-administration.org/articles/187
# for details. Typical usage is:
- ufw:
    rule: limit
    port: ssh
    proto: tcp

# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
# a rule=allow task can leave those ports exposed. Either use delete=yes
# or a separate state=reset task)
- ufw:
    rule: allow
    name: OpenSSH

# Delete OpenSSH rule
- ufw:
    rule: allow
    name: OpenSSH
    delete: yes

# Deny all access to port 53:
- ufw:
    rule: deny
    port: 53

# Allow port range 60000-61000
- ufw:
    rule: allow
    port: '60000:61000'

# Allow all access to tcp port 80:
- ufw:
    rule: allow
    port: 80
    proto: tcp

# Allow all access from RFC1918 networks to this host:
- ufw:
    rule: allow
    src: '{{ item }}'
  with_items:
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16

# Deny access to udp port 514 from host 1.2.3.4:
- ufw:
    rule: deny
    proto: udp
    src: 1.2.3.4
    port: 514

# Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
- ufw:
    rule: allow
    interface: eth0
    direction: in
    proto: udp
    src: 1.2.3.5
    from_port: 5469
    dest: 1.2.3.4
    to_port: 5469

# Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host.
# Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
- ufw:
    rule: deny
    proto: tcp
    src: '2001:db8::/32'
    port: 25

# Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24.
# Can be used to further restrict a global FORWARD policy set to allow
- ufw:
    rule: deny
    route: yes
    src: 1.2.3.0/24
    dest: 4.5.6.0/24

Notes

Note

  • See man ufw for more examples.

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Support

This module is community maintained without core committer oversight.

For more information on what this means please read Module Support

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Helping Testing PRs and Developing Modules.