Changing UFW rules

[Guy Knights]

Does anyone have a solution for dealing with changes to UFW rules in Ansible? The issue is that occasionally, I have to change a rule in some way (change IPs/networks, change port) but the old rule still remains. I could add a separate, special rule to delete the old version but that seems overly fiddly to me.

When I was first playing around with this, I did have a rule at the beginning of my firewall playbook that reset UFW on every run before applying the rule tasks but I decided to remove it because it seems like the wrong approach.

Thanks,

Guy

[Matt Martz]

I'd recommend handling it much the same way I recommend handling users.  Create a var containing the rules and state of the rule.  And have it loop using with_items.  Something like:

ufw_rules:

    - port: 22

      rule: allow

      proto: tcp

    - port: 80

      delete: yes

      rule: allow

      proto: tcp

and then a task like:

ufw:

    port: "{{ item.port }}"

    rule: "{{ item.rule }}"

    proto: "{{ item.proto }}"

    delete: "{{ item.delete|default(omit) }}"

with_items: "{{ ufw_rules }}"

In the above, if delete is specified it is used, otherwise, if missing that param is omitted.  This is effectively how we handle this today.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CANNH9mvSrq%3DYNnN%3DNUTb0vz3Qoadu4yQ2pSTia7Jx2Rbk2c76g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

Matt Martz
@sivel
sivel.net