diff --git a/roles/ufw_firewall/README.md b/roles/ufw_firewall/README.md index 0711a6d25c..a87d6d1f38 100644 --- a/roles/ufw_firewall/README.md +++ b/roles/ufw_firewall/README.md @@ -15,21 +15,16 @@ the examples below allow ssh, http, and redis to those CIDR subnets. For ssh mak ```yaml ufw_firewall_rules: - - service: ssh + - protocol: tcp + source: 10.249.64.0/18 port: 22 - protocol: tcp - allowed_cidrs: - - 128.112.200.0/21 - - service: http + action: ACCEPT + - protocol: tcp + source: 128.112.200.0/21 port: 80 - protocol: tcp - allowed_cidrs: - - 128.112.200.0/21 - - 128.112.0.0/16 - - service: redis + action: ACCEPT + - protocol: tcp + source: 128.112.200.0/21 port: 6379 - protocol: tcp - allowed_cidrs: - - 128.112.200.0/21 - - 128.112.0.0/16 + action: ACCEPT ``` diff --git a/roles/ufw_firewall/defaults/main.yml b/roles/ufw_firewall/defaults/main.yml index 769ef64226..24c75a2061 100644 --- a/roles/ufw_firewall/defaults/main.yml +++ b/roles/ufw_firewall/defaults/main.yml @@ -1,19 +1,26 @@ --- -# defaults file for roles/ufw_firewall -ufw_firewall_rules: - - service: ssh - port: 22 - protocol: tcp - allowed_cidrs: - - 10.249.64.0/18 - - 10.249.0.0/18 - - 128.112.0.0/16 - - 172.20.95.0/24 - - 172.20.192.0/19 -# example of http in your group_vars/project - # - service: http - # port: 80 - # protocol: tcp - # allowed_cidrs: - # - 128.112.200.0/21 - # - 128.112.0.0/16 +rules: + - protocol: tcp + source: 10.249.64.0/18 + port: 22 + action: ACCEPT + - protocol: tcp + source: 10.249.0.0/18 + port: 22 + action: ACCEPT + - protocol: tcp + source: 128.112.0.0/16 + port: 22 + action: ACCEPT + - protocol: tcp + source: 172.20.95.0/24 + port: 22 + action: ACCEPT + - protocol: tcp + source: 172.20.192.0/19 + port: 22 + action: ACCEPT + - protocol: tcp + source: 128.112.200.0/21 + port: 80 + action: ACCEPT diff --git a/roles/ufw_firewall/handlers/main.yml b/roles/ufw_firewall/handlers/main.yml index 9e8700c26b..ecd97684dd 100644 --- a/roles/ufw_firewall/handlers/main.yml +++ b/roles/ufw_firewall/handlers/main.yml @@ -1,6 +1,6 @@ --- # handlers file for roles/ufw_firewall -- name: restart ufw +- name: Restart ufw ansible.builtin.service: name: ufw state: restarted diff --git a/roles/ufw_firewall/tasks/main.yml b/roles/ufw_firewall/tasks/main.yml index efd113bf75..d579cb0827 100644 --- a/roles/ufw_firewall/tasks/main.yml +++ b/roles/ufw_firewall/tasks/main.yml @@ -1,22 +1,22 @@ --- # tasks file for roles/ufw_firewall - - name: UFW | Install UFW ansible.builtin.package: name: ufw state: present -- name: UFW | Enable UFW - community.general.ufw: - state: enabled +- name: UFW | Reload UFW to apply changes + ansible.builtin.command: ufw enable + changed_when: false -- name: UFW | generic rules - ansible.builtin.include_tasks: rules.yml - loop: "{{ ufw_firewall_rules }}" - loop_control: - loop_var: rule +- name: UFW | generic rules template + ansible.builtin.template: + src: user.rules.j2 + dest: "/etc/ufw/user.rules" + owner: root + group: root + mode: "0640" -- name: UFW | Deny all other incoming traffic - community.general.ufw: - rule: deny - direction: in +- name: UFW | Reload UFW to apply changes + ansible.builtin.command: ufw reload + changed_when: false diff --git a/roles/ufw_firewall/tasks/rules.yml b/roles/ufw_firewall/tasks/rules.yml deleted file mode 100644 index a3e5937f14..0000000000 --- a/roles/ufw_firewall/tasks/rules.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Firewall | Allow variable defined rule on ufw - community.general.ufw: - rule: allow - src: "{{ item }}" - port: "{{ rule.port }}" - proto: "{{ rule.protocol }}" - loop: "{{ rule.allowed_cidrs }}" diff --git a/roles/ufw_firewall/templates/user.rules.j2 b/roles/ufw_firewall/templates/user.rules.j2 new file mode 100644 index 0000000000..a81ed495fd --- /dev/null +++ b/roles/ufw_firewall/templates/user.rules.j2 @@ -0,0 +1,40 @@ +# {{ ansible_managed | comment }} +*filter +:ufw-user-input - [0:0] +:ufw-user-output - [0:0] +:ufw-user-forward - [0:0] +:ufw-before-logging-input - [0:0] +:ufw-before-logging-output - [0:0] +:ufw-before-logging-forward - [0:0] +:ufw-user-logging-input - [0:0] +:ufw-user-logging-output - [0:0] +:ufw-user-logging-forward - [0:0] +:ufw-after-logging-input - [0:0] +:ufw-after-logging-output - [0:0] +:ufw-after-logging-forward - [0:0] +:ufw-logging-deny - [0:0] +:ufw-logging-allow - [0:0] +:ufw-user-limit - [0:0] +:ufw-user-limit-accept - [0:0] + +### RULES ### +{% for rule in rules %} +-A ufw-user-input -p {{ rule.protocol }} -s {{ rule.source }} --dport {{ rule.port }} -j {{ rule.action }} +{% endfor %} +-A ufw-user-input -j DROP + +### END RULES ### +### LOGGING ### +-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw-user-limit -j REJECT +-A ufw-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT