Skip to content

reorder UFW to reduce disconnects #993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

reorder UFW to reduce disconnects #993

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7274dfb
reorder UFW to reduce disconnects
konstruktoid Sep 12, 2025
b9f798d
Merge branch 'master' into issue991
konstruktoid Sep 12, 2025
be81f05
Merge branch 'master' into issue991
konstruktoid Sep 12, 2025
ad3af37
ufw_rate_limit sets ssh limits as well
konstruktoid Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 21 additions & 17 deletions tasks/ufw.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,17 +74,22 @@
'deny (outgoing)' not in ufw_status.stdout or
'disabled (routed)' not in ufw_status.stdout
block:
- name: Enable UFW service
ansible.builtin.systemd_service:
name: ufw
enabled: true
state: started
when:
- ansible_facts.virtualization_type not in ["container", "docker", "podman"]
- name: Enable UFW
community.general.ufw:
state: enabled

- name: Allow sshd port from administrator networks
community.general.ufw:
rule: "{{ 'limit' if ufw_rate_limit else 'allow' }}"
from_ip: "{{ item.0 }}"
to_port: "{{ item.1 | int }}"
proto: tcp
comment: ansible managed
loop: "{{ sshd_admin_net | product(sshd_ports) | list }}"

- name: Set default deny
community.general.ufw:
state: enabled
state: reloaded
direction: "{{ item }}"
default: deny
log: true
Expand All @@ -94,6 +99,14 @@
- incoming
- outgoing

- name: Enable UFW service
ansible.builtin.systemd_service:
name: ufw
enabled: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any particular reason why we enable it both here and at the beginning?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they tend to get out-of-sync otherwise.

$ sudo ufw status
Status: inactive
$ sudo systemctl enable ufw
Synchronizing state of ufw.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable ufw
$ sudo ufw status
Status: inactive
$ sudo systemctl disable ufw
Synchronizing state of ufw.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable ufw
Removed '/etc/systemd/system/multi-user.target.wants/ufw.service'.
$ sudo ufw status
Status: inactive
$ sudo ufw enable
Firewall is active and enabled on system startup
$ sudo systemctl status ufw
● ufw.service - Uncomplicated firewall
     Loaded: loaded (/usr/lib/systemd/system/ufw.service; disabled; preset: enabled)
     Active: active (exited) since Thu 2025-08-21 07:33:02 UTC; 3 weeks 1 day ago
 Invocation: 3fe7833b46084726af7257681f22476d
       Docs: man:ufw(8)
   Main PID: 705 (code=exited, status=0/SUCCESS)
   Mem peak: 2.2M
        CPU: 75ms
$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       192.168.0.0/24             # ansible managed
22/tcp                     LIMIT       192.168.1.0/24             # ansible managed
Anywhere                   DENY        127.0.0.0/8                # ansible managed
Anywhere on lo             ALLOW       Anywhere                   # ansible managed
Anywhere on tap0           ALLOW       Anywhere                   # ansible managed

state: started
when:
- ansible_facts.virtualization_type not in ["container", "docker", "podman"]

- name: Stat UFW rules
become: true
ansible.builtin.shell:
Expand All @@ -119,15 +132,6 @@
when:
- ufw_rate_limit

- name: Allow sshd port from administrator networks
community.general.ufw:
rule: limit
from_ip: "{{ item.0 }}"
to_port: "{{ item.1 | int }}"
proto: tcp
comment: ansible managed
loop: "{{ sshd_admin_net | product(sshd_ports) | list }}"

- name: Allow outgoing specified ports
community.general.ufw:
rule: allow
Expand Down
Loading