New in version 1.6.
ufwpackage
| parameter | required | default | choices | comments |
|---|---|---|---|---|
| comment (added in 2.4) |
no |
Add a comment to the rule. Requires UFW version >=0.35.
|
||
| delete |
no |
|
Delete rule.
|
|
| direction |
no |
|
Select direction for a rule or default policy command.
|
|
| from_ip |
no | any |
Source IP address.
aliases: from, src
|
|
| from_port |
no |
Source port.
|
||
| insert |
no |
Insert the corresponding rule as rule number NUM
|
||
| interface |
no |
Specify interface for rule.
aliases: if
|
||
| log |
no |
|
Log new connections matched to this rule
|
|
| logging |
no |
|
Toggles logging. Logged packets use the LOG_KERN syslog facility.
|
|
| name |
no |
Use profile located in
/etc/ufw/applications.daliases: app
|
||
| policy |
no |
|
Change the default policy for incoming or outgoing traffic.
aliases: default
|
|
| proto |
no |
|
TCP/IP protocol.
|
|
| route |
no |
|
Apply the rule to routed/forwarded packets.
|
|
| rule |
no |
|
Add firewall rule
|
|
| state |
no |
|
enabled reloads firewall and enables firewall on boot.disabled unloads firewall and disables firewall on boot.reloaded reloads firewall.reset disables and resets firewall to installation defaults. |
|
| to_ip |
no | any |
Destination IP address.
aliases: to, dest
|
|
| to_port |
no |
Destination port.
aliases: port
|
# Allow everything and enable UFW - ufw: state: enabled policy: allow # Set logging - ufw: logging: on # Sometimes it is desirable to let the sender know when traffic is # being denied, rather than simply ignoring it. In these cases, use # reject instead of deny. In addition, log rejected connections: - ufw: rule: reject port: auth log: yes # ufw supports connection rate limiting, which is useful for protecting # against brute-force login attacks. ufw will deny connections if an IP # address has attempted to initiate 6 or more connections in the last # 30 seconds. See http://www.debian-administration.org/articles/187 # for details. Typical usage is: - ufw: rule: limit port: ssh proto: tcp # Allow OpenSSH. (Note that as ufw manages its own state, simply removing # a rule=allow task can leave those ports exposed. Either use delete=yes # or a separate state=reset task) - ufw: rule: allow name: OpenSSH # Delete OpenSSH rule - ufw: rule: allow name: OpenSSH delete: yes # Deny all access to port 53: - ufw: rule: deny port: 53 # Allow port range 60000-61000 - ufw: rule: allow port: '60000:61000' # Allow all access to tcp port 80: - ufw: rule: allow port: 80 proto: tcp # Allow all access from RFC1918 networks to this host: - ufw: rule: allow src: '{{ item }}' with_items: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 # Deny access to udp port 514 from host 1.2.3.4 and include a comment: - ufw: rule: deny proto: udp src: 1.2.3.4 port: 514 comment: "Block syslog" # Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 - ufw: rule: allow interface: eth0 direction: in proto: udp src: 1.2.3.5 from_port: 5469 dest: 1.2.3.4 to_port: 5469 # Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host. # Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work. - ufw: rule: deny proto: tcp src: '2001:db8::/32' port: 25 # Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24. # Can be used to further restrict a global FORWARD policy set to allow - ufw: rule: deny route: yes src: 1.2.3.0/24 dest: 4.5.6.0/24
Note
man ufw for more examples.This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.