|
|
@ -1,6 +1,7 @@
|
|
|
|
#!/usr/bin/python
|
|
|
|
#!/usr/bin/python
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# (c) 2014, Ahti Kitsik <ak@ahtik.com>
|
|
|
|
# (c) 2014, Jarno Keskikangas <jarno.keskikangas@gmail.com>
|
|
|
|
# (c) 2014, Jarno Keskikangas <jarno.keskikangas@gmail.com>
|
|
|
|
# (c) 2013, Aleksey Ovcharenko <aleksey.ovcharenko@gmail.com>
|
|
|
|
# (c) 2013, Aleksey Ovcharenko <aleksey.ovcharenko@gmail.com>
|
|
|
|
# (c) 2013, James Martin <jmartin@basho.com>
|
|
|
|
# (c) 2013, James Martin <jmartin@basho.com>
|
|
|
@ -27,7 +28,7 @@ short_description: Manage firewall with UFW
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Manage firewall with UFW.
|
|
|
|
- Manage firewall with UFW.
|
|
|
|
version_added: 1.6
|
|
|
|
version_added: 1.6
|
|
|
|
author: Aleksey Ovcharenko, Jarno Keskikangas
|
|
|
|
author: Aleksey Ovcharenko, Jarno Keskikangas, Ahti Kitsik
|
|
|
|
notes:
|
|
|
|
notes:
|
|
|
|
- See C(man ufw) for more examples.
|
|
|
|
- See C(man ufw) for more examples.
|
|
|
|
requirements:
|
|
|
|
requirements:
|
|
|
@ -65,12 +66,12 @@ options:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Add firewall rule
|
|
|
|
- Add firewall rule
|
|
|
|
required: false
|
|
|
|
required: false
|
|
|
|
choises: ['allow', 'deny', 'reject', 'limit']
|
|
|
|
choices: ['allow', 'deny', 'reject', 'limit']
|
|
|
|
log:
|
|
|
|
log:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Log new connections matched to this rule
|
|
|
|
- Log new connections matched to this rule
|
|
|
|
required: false
|
|
|
|
required: false
|
|
|
|
choises: ['yes', 'no']
|
|
|
|
choices: ['yes', 'no']
|
|
|
|
from_ip:
|
|
|
|
from_ip:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Source IP address.
|
|
|
|
- Source IP address.
|
|
|
@ -111,7 +112,10 @@ options:
|
|
|
|
|
|
|
|
|
|
|
|
EXAMPLES = '''
|
|
|
|
EXAMPLES = '''
|
|
|
|
# Allow everything and enable UFW
|
|
|
|
# Allow everything and enable UFW
|
|
|
|
ufw: state=enable policy=allow logging=on
|
|
|
|
ufw: state=enabled policy=allow
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Set logging
|
|
|
|
|
|
|
|
ufw: logging=on
|
|
|
|
|
|
|
|
|
|
|
|
# Sometimes it is desirable to let the sender know when traffic is
|
|
|
|
# Sometimes it is desirable to let the sender know when traffic is
|
|
|
|
# being denied, rather than simply ignoring it. In these cases, use
|
|
|
|
# being denied, rather than simply ignoring it. In these cases, use
|
|
|
@ -163,8 +167,8 @@ def main():
|
|
|
|
argument_spec = dict(
|
|
|
|
argument_spec = dict(
|
|
|
|
state = dict(default=None, choices=['enabled', 'disabled', 'reloaded', 'reset']),
|
|
|
|
state = dict(default=None, choices=['enabled', 'disabled', 'reloaded', 'reset']),
|
|
|
|
default = dict(default=None, aliases=['policy'], choices=['allow', 'deny', 'reject']),
|
|
|
|
default = dict(default=None, aliases=['policy'], choices=['allow', 'deny', 'reject']),
|
|
|
|
logging = dict(default=None, choises=['on', 'off', 'low', 'medium', 'high', 'full']),
|
|
|
|
logging = dict(default=None, choices=['on', 'off', 'low', 'medium', 'high', 'full']),
|
|
|
|
direction = dict(default=None, choises=['in', 'incoming', 'out', 'outgoing']),
|
|
|
|
direction = dict(default=None, choices=['in', 'incoming', 'out', 'outgoing']),
|
|
|
|
delete = dict(default=False, type='bool'),
|
|
|
|
delete = dict(default=False, type='bool'),
|
|
|
|
insert = dict(default=None),
|
|
|
|
insert = dict(default=None),
|
|
|
|
rule = dict(default=None, choices=['allow', 'deny', 'reject', 'limit']),
|
|
|
|
rule = dict(default=None, choices=['allow', 'deny', 'reject', 'limit']),
|
|
|
@ -178,13 +182,14 @@ def main():
|
|
|
|
app = dict(default=None, aliases=['name'])
|
|
|
|
app = dict(default=None, aliases=['name'])
|
|
|
|
),
|
|
|
|
),
|
|
|
|
supports_check_mode = True,
|
|
|
|
supports_check_mode = True,
|
|
|
|
mutually_exclusive = [['app', 'proto']]
|
|
|
|
mutually_exclusive = [['app', 'proto', 'logging']]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
cmds = []
|
|
|
|
cmds = []
|
|
|
|
|
|
|
|
|
|
|
|
def execute(cmd):
|
|
|
|
def execute(cmd):
|
|
|
|
cmd = ' '.join(map(itemgetter(-1), filter(itemgetter(0), cmd)))
|
|
|
|
cmd = ' '.join(map(itemgetter(-1), filter(itemgetter(0), cmd)))
|
|
|
|
|
|
|
|
|
|
|
|
cmds.append(cmd)
|
|
|
|
cmds.append(cmd)
|
|
|
|
(rc, out, err) = module.run_command(cmd)
|
|
|
|
(rc, out, err) = module.run_command(cmd)
|
|
|
|
|
|
|
|
|
|
|
@ -217,7 +222,7 @@ def main():
|
|
|
|
execute(cmd + [['-f'], [states[value]]])
|
|
|
|
execute(cmd + [['-f'], [states[value]]])
|
|
|
|
|
|
|
|
|
|
|
|
elif command == 'logging':
|
|
|
|
elif command == 'logging':
|
|
|
|
execute(cmd + [[command, value]])
|
|
|
|
execute(cmd + [[command], [value]])
|
|
|
|
|
|
|
|
|
|
|
|
elif command == 'default':
|
|
|
|
elif command == 'default':
|
|
|
|
execute(cmd + [[command], [value], [params['direction']]])
|
|
|
|
execute(cmd + [[command], [value], [params['direction']]])
|
|
|
|