From 915fced17fbd298dd3c261efabb945949bfeb482 Mon Sep 17 00:00:00 2001
From: Francis Kayiwa <kayiwa@pobox.com>
Date: Wed, 20 Nov 2024 12:53:46 -0500
Subject: [PATCH] add a template for user.rules file

the order of rules matters in ufw. We add the new defaults for ssh
we create a template file that can allow users to place these rules and
have predictable implementation

Closes #5520
---
 roles/ufw_firewall/README.md               | 23 +++++-------
 roles/ufw_firewall/defaults/main.yml       | 43 +++++++++++++---------
 roles/ufw_firewall/handlers/main.yml       |  2 +-
 roles/ufw_firewall/tasks/main.yml          | 26 ++++++-------
 roles/ufw_firewall/tasks/rules.yml         |  8 ----
 roles/ufw_firewall/templates/user.rules.j2 | 40 ++++++++++++++++++++
 6 files changed, 88 insertions(+), 54 deletions(-)
 delete mode 100644 roles/ufw_firewall/tasks/rules.yml
 create mode 100644 roles/ufw_firewall/templates/user.rules.j2

diff --git a/roles/ufw_firewall/README.md b/roles/ufw_firewall/README.md
index 0711a6d25c..a87d6d1f38 100644
--- a/roles/ufw_firewall/README.md
+++ b/roles/ufw_firewall/README.md
@@ -15,21 +15,16 @@ the examples below allow ssh, http, and redis to those CIDR subnets. For ssh mak
 
 ```yaml
 ufw_firewall_rules:
-  - service: ssh
+  - protocol: tcp
+    source: 10.249.64.0/18
     port: 22
-    protocol: tcp
-    allowed_cidrs:
-      - 128.112.200.0/21
-  - service: http
+    action: ACCEPT
+  - protocol: tcp
+    source: 128.112.200.0/21
     port: 80
-    protocol: tcp
-    allowed_cidrs:
-      - 128.112.200.0/21
-      - 128.112.0.0/16
-  - service: redis
+    action: ACCEPT
+  - protocol: tcp
+    source: 128.112.200.0/21
     port: 6379
-    protocol: tcp
-    allowed_cidrs:
-      - 128.112.200.0/21
-      - 128.112.0.0/16
+    action: ACCEPT
 ```
diff --git a/roles/ufw_firewall/defaults/main.yml b/roles/ufw_firewall/defaults/main.yml
index 769ef64226..24c75a2061 100644
--- a/roles/ufw_firewall/defaults/main.yml
+++ b/roles/ufw_firewall/defaults/main.yml
@@ -1,19 +1,26 @@
 ---
-# defaults file for roles/ufw_firewall
-ufw_firewall_rules:
-  - service: ssh
-    port: 22
-    protocol: tcp
-    allowed_cidrs:
-      - 10.249.64.0/18
-      - 10.249.0.0/18
-      - 128.112.0.0/16
-      - 172.20.95.0/24
-      - 172.20.192.0/19
-# example of http in your group_vars/project
-  #  - service: http
-    #  port: 80
-    #  protocol: tcp
-    # allowed_cidrs:
-      #   - 128.112.200.0/21
-      # - 128.112.0.0/16
+rules:
+    - protocol: tcp
+      source: 10.249.64.0/18
+      port: 22
+      action: ACCEPT
+    - protocol: tcp
+      source: 10.249.0.0/18
+      port: 22
+      action: ACCEPT
+    - protocol: tcp
+      source: 128.112.0.0/16
+      port: 22
+      action: ACCEPT
+    - protocol: tcp
+      source: 172.20.95.0/24
+      port: 22
+      action: ACCEPT
+    - protocol: tcp
+      source: 172.20.192.0/19
+      port: 22
+      action: ACCEPT
+    - protocol: tcp
+      source: 128.112.200.0/21
+      port: 80
+      action: ACCEPT
diff --git a/roles/ufw_firewall/handlers/main.yml b/roles/ufw_firewall/handlers/main.yml
index 9e8700c26b..ecd97684dd 100644
--- a/roles/ufw_firewall/handlers/main.yml
+++ b/roles/ufw_firewall/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 # handlers file for roles/ufw_firewall
-- name: restart ufw
+- name: Restart ufw
   ansible.builtin.service:
     name: ufw
     state: restarted
diff --git a/roles/ufw_firewall/tasks/main.yml b/roles/ufw_firewall/tasks/main.yml
index efd113bf75..d579cb0827 100644
--- a/roles/ufw_firewall/tasks/main.yml
+++ b/roles/ufw_firewall/tasks/main.yml
@@ -1,22 +1,22 @@
 ---
 # tasks file for roles/ufw_firewall
-
 - name: UFW | Install UFW
   ansible.builtin.package:
     name: ufw
     state: present
 
-- name: UFW | Enable UFW
-  community.general.ufw:
-    state: enabled
+- name: UFW | Reload UFW to apply changes
+  ansible.builtin.command: ufw enable
+  changed_when: false
 
-- name: UFW | generic rules
-  ansible.builtin.include_tasks: rules.yml
-  loop: "{{ ufw_firewall_rules }}"
-  loop_control:
-    loop_var: rule
+- name: UFW | generic rules template
+  ansible.builtin.template:
+    src: user.rules.j2
+    dest: "/etc/ufw/user.rules"
+    owner: root
+    group: root
+    mode: "0640"
 
-- name: UFW | Deny all other incoming traffic
-  community.general.ufw:
-    rule: deny
-    direction: in
+- name: UFW | Reload UFW to apply changes
+  ansible.builtin.command: ufw reload
+  changed_when: false
diff --git a/roles/ufw_firewall/tasks/rules.yml b/roles/ufw_firewall/tasks/rules.yml
deleted file mode 100644
index a3e5937f14..0000000000
--- a/roles/ufw_firewall/tasks/rules.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: Firewall | Allow variable defined rule on ufw
-  community.general.ufw:
-    rule: allow
-    src: "{{ item }}"
-    port: "{{ rule.port }}"
-    proto: "{{ rule.protocol }}"
-  loop: "{{ rule.allowed_cidrs }}"
diff --git a/roles/ufw_firewall/templates/user.rules.j2 b/roles/ufw_firewall/templates/user.rules.j2
new file mode 100644
index 0000000000..a81ed495fd
--- /dev/null
+++ b/roles/ufw_firewall/templates/user.rules.j2
@@ -0,0 +1,40 @@
+# {{ ansible_managed | comment }}
+*filter
+:ufw-user-input - [0:0]
+:ufw-user-output - [0:0]
+:ufw-user-forward - [0:0]
+:ufw-before-logging-input - [0:0]
+:ufw-before-logging-output - [0:0]
+:ufw-before-logging-forward - [0:0]
+:ufw-user-logging-input - [0:0]
+:ufw-user-logging-output - [0:0]
+:ufw-user-logging-forward - [0:0]
+:ufw-after-logging-input - [0:0]
+:ufw-after-logging-output - [0:0]
+:ufw-after-logging-forward - [0:0]
+:ufw-logging-deny - [0:0]
+:ufw-logging-allow - [0:0]
+:ufw-user-limit - [0:0]
+:ufw-user-limit-accept - [0:0]
+
+### RULES ###
+{% for rule in rules %}
+-A ufw-user-input -p {{ rule.protocol }} -s {{ rule.source }} --dport {{ rule.port }} -j {{ rule.action }}
+{% endfor %}
+-A ufw-user-input -j DROP
+
+### END RULES ###
+### LOGGING ###
+-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
+-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
+-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
+### END LOGGING ###
+
+### RATE LIMITING ###
+-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
+-A ufw-user-limit -j REJECT
+-A ufw-user-limit-accept -j ACCEPT
+### END RATE LIMITING ###
+COMMIT