Merge pull request #530 from konstruktoid/ufw

rename `ufw_enable` to `manage_ufw` and handle disconnects better
konstruktoid · Feb 8, 2024 · 7bfc5a9 · 7bfc5a9
2 parents bcec651 + 079c25a
commit 7bfc5a9
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 36 deletions.
diff --git a/defaults/main/ufw.yml b/defaults/main/ufw.yml
@@ -1,5 +1,5 @@
 ---
-ufw_enable: true
+manage_ufw: true
 ufw_outgoing_traffic:
   - 22
   - 53

diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -959,32 +959,18 @@
         - disable_wireless
         - ansible_virtualization_type not in ["container", "docker", "podman"]
 
-    - name: Stat firewall rules when UFW is enabled
+    - name: Get UFW status
       become: true
-      ansible.builtin.shell: |
-        set -o pipefail
-        ufw show added | grep '^ufw' | grep -v "'ansible\smanaged'" | sed 's/ufw //g'
-      args:
-        executable: /bin/bash
-      failed_when: ufw_not_managed.rc > 1
-      changed_when: false
-      register: ufw_not_managed
-      when:
-        - ufw_enable
-        - ansible_virtualization_type not in ["container", "docker", "podman"]
-
-    - name: Stat firewall rules when UFW is disabled
-      become: true
-      ansible.builtin.shell: |
-        set -o pipefail
-        ufw show added | grep '^ufw' | grep "'ansible\smanaged'" | sed 's/ufw //g'
-      args:
-        executable: /bin/bash
-      failed_when: ufw_not_managed.rc > 1
+      ansible.builtin.command:
+        cmd: ufw status verbose
       changed_when: false
-      register: ufw_not_managed
+      register: ufw_status
+      failed_when: >
+        'deny (incoming)' not in ufw_status.stdout or
+        'deny (outgoing)' not in ufw_status.stdout or
+        'disabled (routed)' not in ufw_status.stdout
       when:
-        - not ufw_enable
+        - manage_ufw
         - ansible_virtualization_type not in ["container", "docker", "podman"]
 
     - name: Verify aide configuration

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -20,7 +20,7 @@
       environment:
         PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
   when:
-    - ufw_enable
+    - manage_ufw
     - ansible_virtualization_type not in ["container", "docker", "podman"]
 
 - name: Configure sysctl

diff --git a/tasks/ufw.yml b/tasks/ufw.yml
@@ -71,23 +71,44 @@
     - ufw
     - M1037
 
+- name: Get UFW status
+  become: true
+  ansible.builtin.command:
+    cmd: ufw status verbose
+  changed_when: false
+  register: ufw_status
+
 - name: Enable UFW and set default deny
   become: true
-  community.general.ufw:
-    state: enabled
-    direction: "{{ item }}"
-    default: deny
-    log: true
-    logging: low
-    comment: ansible managed
-  loop:
-    - incoming
-    - outgoing
+  when: >
+    'deny (incoming)' not in ufw_status.stdout or
+    'deny (outgoing)' not in ufw_status.stdout or
+    'disabled (routed)' not in ufw_status.stdout
   tags:
     - ufw
     - CIS-UBUNTU2004-3.5.1.7
     - D3-ITF
     - M1037
+  block:
+    - name: Enable UFW service
+      ansible.builtin.systemd:
+        name: ufw
+        enabled: true
+        state: started
+      when:
+        - ansible_virtualization_type not in ["container", "docker", "podman"]
+
+    - name: Set default deny
+      community.general.ufw:
+        state: enabled
+        direction: "{{ item }}"
+        default: deny
+        log: true
+        logging: low
+        comment: ansible managed
+      loop:
+        - incoming
+        - outgoing
 
 - name: Stat UFW rules
   become: true
@@ -185,7 +206,7 @@
   register: ufw_delete
   changed_when: ufw_delete.rc != 0
   failed_when: ufw_delete.rc != 0
-  when: ufw_not_managed.stdout_lines | length > 0 and not ansible_os_family == "RedHat"
+  when: ufw_not_managed.stdout_lines | length > 0
   loop: "{{ ufw_not_managed.stdout_lines }}"
   tags:
     - ufw