{"id":15286561,"url":"https://github.com/ansibleguy/linux_ufw","last_synced_at":"2025-10-07T01:30:53.428Z","repository":{"id":53920636,"uuid":"404862747","full_name":"ansibleguy/linux_ufw","owner":"ansibleguy","description":"Ansible Role to provision UFW","archived":true,"fork":false,"pushed_at":"2024-05-03T19:08:29.000Z","size":67,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"latest","last_synced_at":"2024-10-14T16:41:03.931Z","etag":null,"topics":["ansible","ansible-role","automation","debian-linux","firewall-rules","iac","infrastructure-as-code"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ansibleguy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"ko_fi":"ansible0guy","github":"ansibleguy"}},"created_at":"2021-09-09T20:36:17.000Z","updated_at":"2024-07-20T16:49:39.000Z","dependencies_parsed_at":"2023-02-12T11:20:17.080Z","dependency_job_id":"0ac88783-6d70-4f35-ad93-1461db7e1dda","html_url":"https://github.com/ansibleguy/linux_ufw","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Flinux_ufw","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Flinux_ufw/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Flinux_ufw/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Flinux_ufw/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ansibleguy","download_url":"https://codeload.github.com/ansibleguy/linux_ufw/tar.gz/refs/heads/latest","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235575693,"owners_count":19012156,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","automation","debian-linux","firewall-rules","iac","infrastructure-as-code"],"created_at":"2024-09-30T15:17:12.188Z","updated_at":"2025-10-07T01:30:53.101Z","avatar_url":"https://github.com/ansibleguy.png","language":"Jinja","funding_links":["https://ko-fi.com/ansible0guy","https://github.com/sponsors/ansibleguy","https://ko-fi.com/ansible0guy'"],"categories":[],"sub_categories":[],"readme":"# DEPRECATED\n\nUsing UFW as middleware in automation does not make real sense.\n\nIt creates unnecessary complexity for single-rule changes!\n\nIn my eyes it is not a tool that is designed to be automated.\n\nI would actually recommend using NFTables: [ansibleguy.infra_nftables](https://github.com/ansibleguy/infra_nftables) \n\n# Ansible Role - Uncomplicated Firewall (UFW)\n\nAnsible Role to deploy/configure the software firewall 'UFW' on a debian-based linux server.\n\n\u003ca href='https://ko-fi.com/ansible0guy' target='_blank'\u003e\u003cimg height='35' style='border:0px;height:46px;' src='https://az743702.vo.msecnd.net/cdn/kofi3.png?v=0' border='0' alt='Buy me a coffee' /\u003e\n\n[![Molecule Test Status](https://badges.ansibleguy.net/linux_ufw.molecule.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2)\n[![YamlLint Test Status](https://badges.ansibleguy.net/linux_ufw.yamllint.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/yamllint.sh.j2)\n[![PyLint Test Status](https://badges.ansibleguy.net/linux_ufw.pylint.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/pylint.sh.j2)\n[![Ansible-Lint Test Status](https://badges.ansibleguy.net/linux_ufw.ansiblelint.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/ansiblelint.sh.j2)\n[![Ansible Galaxy](https://badges.ansibleguy.net/galaxy.badge.svg)](https://galaxy.ansible.com/ui/standalone/roles/ansibleguy/linux_ufw)\n\n**Tested:**\n* Debian 11\n\n## Install\n\n```bash\n# latest\nansible-galaxy role install git+https://github.com/ansibleguy/linux_ufw\n\n# from galaxy\nansible-galaxy install ansibleguy.linux_ufw\n\n# or to custom role-path\nansible-galaxy install ansibleguy.linux_ufw --roles-path ./roles\n\n# install dependencies\nansible-galaxy install -r requirements.yml\n```\n\n## Functionality\n\nThis ansible role will do:\n* **Package installation**\n  * UFW\n\n\n* **Configuration**\n  * Rules via using **one of two modes**\n    * The **stateful** way (_default_)\n      * keeps existing rules and adds/removes rules using a rule state\n    * The **stateless** way\n      * reset's the ufw state and rules every time\n      * after that the new rules get applied\n\n\n  * Verification that a ssh-rule is in place\n\n\n## Info\n\n* **Note:** Most of the role's functionality can be opted in or out.\n\n  For all available options - see the default-config located in [the main defaults-file](https://github.com/ansibleguy/linux_ufw/blob/latest/defaults/main.yml)!\n\n\n* **Note:** this role currently only supports debian-based systems\n\n\n* **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!\n\n\n## Usage\n\nYou want a simple Ansible GUI? Check-out my [Ansible WebUI](https://github.com/ansibleguy/webui)\n\n### Config\n\nJust define the 'ufw_rules' dictionary as needed:\n```yaml\nufw_rules:\n  ruleShortName:\n    rule: 'allow'  # default if empty\n    port: 80\n    proto: 'tcp'\n    log: 'no'  # default if empty\n    from_ip: 'any'  # default if empty\n    to_ip: 'any'  # default if empty\n    direction: 'in'  # default if empty\n    present: true  # default if empty =\u003e will be used for stateful rule-check (alias = state: present)\n    position: 2  # you can define the position of the rule in the ruleset (alias = insert)\n    comment: 'You can overwrite the default comment'\n```\nor the compact way:\n```yaml\nufw_rules: {\n    ruleShortName: {rule: 'allow',  port: 80, proto: 'tcp', log: 'no', from_ip: 'any', to_ip: 'any', direction: 'in', state: 'present', position: 2, comment: 'You can overwrite the default comment'}\n}\n```\n\n### Execution\n\nRun the playbook:\n```bash\nansible-playbook -K -D -i inventory/hosts.yml playbook.yml\n```\n\nThe ufw-task itself is '[community.general.ufw](https://docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html)'\n\n### Example\n\n**State before:**\n```bash\nguy@ansible:~$ sudo ufw status numbered\nStatus: active\n\n     To                         Action      From\n     --                         ------      ----\n[ 1] 7424/tcp                   ALLOW IN    Anywhere                   # Ansible managed - confusedService\n[ 2] 7429/tcp                   ALLOW IN    Anywhere                   (log) # Ansible managed - nothingImportant\n```\n\n**Config**\n```yaml\nufw_rules:\n  # incoming traffic restrictions\n  SecShöl:\n    port: 22\n    proto: 'tcp'\n    log: true\n    rule: 'limit'\n  RandomWebServer:\n    port: 8482\n    proto: 'tcp'\n  SecureLink:\n    port: 54038:54085\n    proto: 'udp'\n    log: true\n    from_ip: '192.168.194.0/28'\n  ipsecESP:\n    proto: 'esp'\n    from_ip: '10.10.10.1'\n    to_ip: '10.10.20.254'\n  ipsecIKE:\n    port: 500,4500\n    proto: 'udp'\n    from_ip: '10.10.10.1'\n    to_ip: '10.10.20.254'\n  \n  # outgoing traffic restrictions\n  denyNtpOutgoing:\n    port: 123\n    proto: 'udp'\n    rule: 'deny'\n    direction: 'out'\n\n  # remove those rules:\n  confusedService:\n    port: 7424\n    proto: 'tcp'\n    state: 'absent'\n  nothingImportant:\n    port: 7429\n    proto: 'tcp'\n    log: true\n    present: false\n```\n\n**Result:**\n```bash\nguy@ansible:~$ sudo ufw status numbered\nStatus: active\n\n     To                         Action      From\n     --                         ------      ----\n[ 1] 22/tcp                     LIMIT IN    Anywhere                   (log) # Ansible managed - SecShöl\n[ 2] 8482/tcp                   ALLOW IN    Anywhere                   # Ansible managed - RandomWebServer\n[ 3] 54038:54085/udp            ALLOW IN    192.168.194.0/28           (log) # Ansible managed - SecureLink\n[ 4] 10.10.20.254/esp           ALLOW IN    10.10.10.1/esp             # Ansible managed - ipsecESP\n[ 5] 10.10.20.254 500,4500/udp  ALLOW IN    10.10.10.1                 # Ansible managed - ipsecIKE\n[ 6] 123/udp                    DENY OUT    Anywhere                   (out) # Ansible managed - denyNtpOutgoing\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansibleguy%2Flinux_ufw","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fansibleguy%2Flinux_ufw","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansibleguy%2Flinux_ufw/lists"}