ufw – Manage firewall with UFW¶
New in version 1.6.
Parameters¶
Parameter | Choices/Defaults | Comments |
---|---|---|
comment
-
added in 2.4 |
Add a comment to the rule. Requires UFW version >=0.35.
|
|
delete
boolean
|
|
Delete rule.
|
direction
-
|
|
Select direction for a rule or default policy command.
|
from_ip
-
|
Default: "any"
|
Source IP address.
aliases: from, src |
from_port
-
|
Source port.
|
|
insert
-
|
Insert the corresponding rule as rule number NUM
|
|
interface
-
|
Specify interface for rule.
aliases: if |
|
log
boolean
|
|
Log new connections matched to this rule
|
logging
-
|
|
Toggles logging. Logged packets use the LOG_KERN syslog facility.
|
name
-
|
Use profile located in
/etc/ufw/applications.d .aliases: app |
|
policy
-
|
|
Change the default policy for incoming or outgoing traffic.
aliases: default |
proto
-
|
|
TCP/IP protocol.
|
route
boolean
|
|
Apply the rule to routed/forwarded packets.
|
rule
-
|
|
Add firewall rule
|
state
-
|
|
enabled reloads firewall and enables firewall on boot.disabled unloads firewall and disables firewall on boot.reloaded reloads firewall.reset disables and resets firewall to installation defaults. |
to_ip
-
|
Default: "any"
|
Destination IP address.
aliases: dest, to |
to_port
-
|
Destination port.
aliases: port |
Examples¶
- name: Allow everything and enable UFW
ufw:
state: enabled
policy: allow
- name: Set logging
ufw:
logging: on
# Sometimes it is desirable to let the sender know when traffic is
# being denied, rather than simply ignoring it. In these cases, use
# reject instead of deny. In addition, log rejected connections:
- ufw:
rule: reject
port: auth
log: yes
# ufw supports connection rate limiting, which is useful for protecting
# against brute-force login attacks. ufw will deny connections if an IP
# address has attempted to initiate 6 or more connections in the last
# 30 seconds. See http://www.debian-administration.org/articles/187
# for details. Typical usage is:
- ufw:
rule: limit
port: ssh
proto: tcp
# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
# a rule=allow task can leave those ports exposed. Either use delete=yes
# or a separate state=reset task)
- ufw:
rule: allow
name: OpenSSH
- name: Delete OpenSSH rule
ufw:
rule: allow
name: OpenSSH
delete: yes
- name: Deny all access to port 53
ufw:
rule: deny
port: 53
- name: Allow port range 60000-61000
ufw:
rule: allow
port: 60000:61000
- name: Allow all access to tcp port 80
ufw:
rule: allow
port: 80
proto: tcp
- name: Allow all access from RFC1918 networks to this host
ufw:
rule: allow
src: '{{ item }}'
with_items:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- name: Deny access to udp port 514 from host 1.2.3.4 and include a comment
ufw:
rule: deny
proto: udp
src: 1.2.3.4
port: 514
comment: Block syslog
- name: Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
ufw:
rule: allow
interface: eth0
direction: in
proto: udp
src: 1.2.3.5
from_port: 5469
dest: 1.2.3.4
to_port: 5469
# Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
- name: Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host
ufw:
rule: deny
proto: tcp
src: 2001:db8::/32
port: 25
# Can be used to further restrict a global FORWARD policy set to allow
- name: Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24
ufw:
rule: deny
route: yes
src: 1.2.3.0/24
dest: 4.5.6.0/24
Status¶
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors¶
- Aleksey Ovcharenko (@ovcharenko)
- Jarno Keskikangas (@pyykkis)
- Ahti Kitsik (@ahtik)
Hint
If you notice any issues in this documentation you can edit this document to improve it.