New in version 1.6.
Manage firewall with UFW.
ufw package| parameter | required | default | choices | comments |
|---|---|---|---|---|
| delete | no |
| Delete rule. |
|
| direction | no |
| Select direction for a rule or default policy command. |
|
| from_ip | no | any |
Source IP address. aliases: from, src
|
|
| from_port | no | Source port. |
||
| insert | no | Insert the corresponding rule as rule number NUM |
||
| interface | no |
Specify interface for rule. aliases: if
|
||
| log | no |
| Log new connections matched to this rule |
|
| logging | no |
| Toggles logging. Logged packets use the LOG_KERN syslog facility. |
|
| name | no |
Use profile located in /etc/ufw/applications.d
aliases: app
|
||
| policy | no |
| Change the default policy for incoming or outgoing traffic. |
|
| proto | no |
| TCP/IP protocol. |
|
| route | no |
| Apply the rule to routed/forwarded packets. |
|
| rule | no |
| Add firewall rule |
|
| state | no |
|
enabled reloads firewall and enables firewall on boot.disabled unloads firewall and disables firewall on boot.reloaded reloads firewall.reset disables and resets firewall to installation defaults. |
|
| to_ip | no | any |
Destination IP address. aliases: to, dest
|
|
| to_port | no |
Destination port. aliases: port
|
# Allow everything and enable UFW
ufw: state=enabled policy=allow
# Set logging
ufw: logging=on
# Sometimes it is desirable to let the sender know when traffic is
# being denied, rather than simply ignoring it. In these cases, use
# reject instead of deny. In addition, log rejected connections:
ufw: rule=reject port=auth log=yes
# ufw supports connection rate limiting, which is useful for protecting
# against brute-force login attacks. ufw will deny connections if an IP
# address has attempted to initiate 6 or more connections in the last
# 30 seconds. See http://www.debian-administration.org/articles/187
# for details. Typical usage is:
ufw: rule=limit port=ssh proto=tcp
# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
# a rule=allow task can leave those ports exposed. Either use delete=yes
# or a separate state=reset task)
ufw: rule=allow name=OpenSSH
# Delete OpenSSH rule
ufw: rule=allow name=OpenSSH delete=yes
# Deny all access to port 53:
ufw: rule=deny port=53
# Allow port range 60000-61000
ufw: rule=allow port=60000:61000
# Allow all access to tcp port 80:
ufw: rule=allow port=80 proto=tcp
# Allow all access from RFC1918 networks to this host:
ufw: rule=allow src={{ item }}
with_items:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
# Deny access to udp port 514 from host 1.2.3.4:
ufw: rule=deny proto=udp src=1.2.3.4 port=514
# Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
ufw: rule=allow interface=eth0 direction=in proto=udp src=1.2.3.5 from_port=5469 dest=1.2.3.4 to_port=5469
# Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host.
# Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
ufw: rule=deny proto=tcp src=2001:db8::/32 port=25
# Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24.
# Can be used to further restrict a global FORWARD policy set to allow
ufw: rule=deny route=yes src=1.2.3.0/24 dest=4.5.6.0/24
Note
See man ufw for more examples.
For more information on what this means please read Extras Modules
For help in developing on modules, should you be so inclined, please read Community Information & Contributing, developing_test_pr and Developing Modules.
© 2012–2016 Michael DeHaan
© 2016 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/ufw_module.html