community.general.ufw module – Manage firewall with UFW
Note
This module is part of the community.general collection (version 10.1.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.general.ufw
.
Synopsis
Manage firewall with UFW.
Requirements
The below requirements are needed on the host that executes this module.
ufw
package
Parameters
Parameter |
Comments |
---|---|
Add a comment to the rule. Requires UFW version >=0.35. |
|
Change the default policy for incoming or outgoing traffic. Choices:
|
|
Delete rule. If Choices:
|
|
Select direction for a rule or default policy command. Mutually exclusive with Choices:
|
|
Source IP address. Default: |
|
Source port. |
|
Insert the corresponding rule as rule number NUM. Note that ufw numbers rules starting with 1. If |
|
Allows to interpret the index in
Choices:
|
|
Specify interface for the rule. The direction (in or out) used for the interface depends on the value of |
|
Specify input interface for the rule. This is mutually exclusive with |
|
Specify output interface for the rule. This is mutually exclusive with |
|
Log new connections matched to this rule Choices:
|
|
Toggles logging. Logged packets use the LOG_KERN syslog facility. Choices:
|
|
Use profile located in |
|
TCP/IP protocol. Choices:
|
|
Apply the rule to routed/forwarded packets. Choices:
|
|
Add firewall rule Choices:
|
|
Choices:
|
|
Destination IP address. Default: |
|
Destination port. |
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: none |
Will return details on what has changed (or possibly needs changing in |
Notes
Note
See
man ufw
for more examples.Warning: Whilst the module itself can be run using concurrent strategies,
ufw
does not support concurrency, as firewall rules are meant to be ordered and parallel executions do not guarantee order. Do not use concurrency: The results are unpredictable and the module may fail silently if you do.
Examples
- name: Allow everything and enable UFW
community.general.ufw:
state: enabled
policy: allow
- name: Set logging
community.general.ufw:
logging: 'on'
# Sometimes it is desirable to let the sender know when traffic is
# being denied, rather than simply ignoring it. In these cases, use
# reject instead of deny. In addition, log rejected connections:
- community.general.ufw:
rule: reject
port: auth
log: true
# ufw supports connection rate limiting, which is useful for protecting
# against brute-force login attacks. ufw will deny connections if an IP
# address has attempted to initiate 6 or more connections in the last
# 30 seconds. See http://www.debian-administration.org/articles/187
# for details. Typical usage is:
- community.general.ufw:
rule: limit
port: ssh
proto: tcp
# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
# a rule=allow task can leave those ports exposed. Either use delete=true
# or a separate state=reset task)
- community.general.ufw:
rule: allow
name: OpenSSH
- name: Delete OpenSSH rule
community.general.ufw:
rule: allow
name: OpenSSH
delete: true
- name: Deny all access to port 53
community.general.ufw:
rule: deny
port: '53'
- name: Allow port range 60000-61000
community.general.ufw:
rule: allow
port: 60000:61000
proto: tcp
- name: Allow all access to tcp port 80
community.general.ufw:
rule: allow
port: '80'
proto: tcp
- name: Allow all access from RFC1918 networks to this host
community.general.ufw:
rule: allow
src: '{{ item }}'
loop:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- name: Deny access to udp port 514 from host 1.2.3.4 and include a comment
community.general.ufw:
rule: deny
proto: udp
src: 1.2.3.4
port: '514'
comment: Block syslog
- name: Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
community.general.ufw:
rule: allow
interface: eth0
direction: in
proto: udp
src: 1.2.3.5
from_port: '5469'
dest: 1.2.3.4
to_port: '5469'
# Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
- name: Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host
community.general.ufw:
rule: deny
proto: tcp
src: 2001:db8::/32
port: '25'
- name: Deny all IPv6 traffic to tcp port 20 on this host
# this should be the first IPv6 rule
community.general.ufw:
rule: deny
proto: tcp
port: '20'
to_ip: "::"
insert: 0
insert_relative_to: first-ipv6
- name: Deny all IPv4 traffic to tcp port 20 on this host
# This should be the third to last IPv4 rule
# (insert: -1 addresses the second to last IPv4 rule;
# so the new rule will be inserted before the second
# to last IPv4 rule, and will be come the third to last
# IPv4 rule.)
community.general.ufw:
rule: deny
proto: tcp
port: '20'
to_ip: "::"
insert: -1
insert_relative_to: last-ipv4
# Can be used to further restrict a global FORWARD policy set to allow
- name: Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24
community.general.ufw:
rule: deny
route: true
src: 192.0.2.0/24
dest: 198.51.100.0/24