Either use delete=true # or a separate state=reset task) - : rule : allow name : OpenSSH - name : Delete OpenSSH rule : rule : allow name : OpenSSH delete : true - name : Deny all access to port 53 : rule : deny port : '53' - name : Allow port range 60000-61000 : rule : allow port : 60000:61000 proto : tcp - name : Allow all access to tcp port 80 : rule : allow port : '80' proto : tcp - name : Allow all access from RFC1918 networks to this host : rule : allow src : ' ' loop : - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - name : Deny access to udp port 514 from host 1.2.3.4 and include a comment : rule : deny proto : udp src : 1.2.3.4 port : '514' comment : Block syslog - name : Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 : rule : allow interface : eth0 direction : in proto : udp src : 1.2.3.5 from_port : '5469' dest : 1.2.3.4 to_port : '5469' # Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
(Note that as ufw manages its own state, simply removing # a rule=allow task can leave those ports exposed. Typical usage is: - : rule : limit port : ssh proto : tcp # Allow OpenSSH. ufw will deny connections if an IP # address has attempted to initiate 6 or more connections in the last # 30 seconds. In addition, log rejected connections: - : rule : reject port : auth log : true # ufw supports connection rate limiting, which is useful for protecting # against brute-force login attacks. In these cases, use # reject instead of deny. name : Allow everything and enable UFW : state : enabled policy : allow - name : Set logging : logging : 'on' # Sometimes it is desirable to let the sender know when traffic is # being denied, rather than simply ignoring it.
Virtualization and Containerization Guides.Protecting sensitive data with Ansible vault.
0 kommentar(er)
