@installdoc/ansible-gas-station/roles/system/firewall/tasks/ufw.yml

An Ansible playbook that provisions your network with software from GitHub Awesome lists, developed with disaster recovery in mind ⛽🔥🤤

---
- name: Install UFW
  package:
    name: ufw
    state: present

- name: Reset UFW
  ufw:
    state: reset
  when: ufw_reset


- name: Copy over UFW application policies
  copy:
    src: files/ufw/
    dest: /etc/ufw/applications.d
    owner: root
    mode: 0644

- name: Set default incoming policy to deny
  ufw:
    default: deny
    direction: incoming

- name: Enable UFW logging
  ufw:
    logging: "on"
  ignore_errors: true

- name: Allow (but limit) SSH connections from select networks
  ufw:
    rule: limit
    port: "{{ ssh_port }}"
    proto: tcp
    src: "{{ item }}"
    comment: Allow and limit SSH connections
  loop:
    - "{{ lan_network.management }}"
    - "{{ lan_network.work }}"
    - "{{ main_ip_address }}"
  when: (vlan | default('cloud')) != 'cloud'

- name: Allow (but limit) SSH connections from anywhere
  ufw:
    rule: limit
    port: "{{ ssh_port }}"
    proto: tcp
    comment: Allow SSH connections originating from the Internet
  when: (vlan | default('cloud')) == 'cloud'

- name: Allow apt-cacher-ng access
  ufw:
    rule: allow
    name: "AptCacherNG"
    src: "{{ item }}"
    comment: Allow access to apt-cacher-ng
  loop:
    - "{{ lan_network.iot }}"
    - "{{ lan_network.kubernetes }}"
    - "{{ lan_network.management }}"
    - "{{ lan_network.offline }}"
    - "{{ lan_network.unifi }}"
    - "{{ lan_network.work }}"
  when: ('apt' in apps)

- name: Allow RDP access
  ufw:
    rule: allow
    name: "RDP"
    src: "{{ item }}"
    comment: Allow RDP
  loop:
    - "{{ lan_network.work }}"
  when: "'desktop' in group_names"

- name: Allow remote Docker access
  ufw:
    rule: allow
    port: "2424"
    proto: tcp
    src: "{{ hosts.portainer.ip_address }}"
    comment: Allow access to Docker from Portainer
  when: not ("'portainer' in apps")

- name: Allow TFTP access to Netboot.xyz
  ufw:
    rule: allow
    name: "NetbootXYZ"
    src: "{{ item }}"
    comment: Allow TFTP access for booting iPXE files
  loop:
    - "{{ lan_network.iot }}"
    - "{{ lan_network.kubernetes }}"
    - "{{ lan_network.management }}"
    - "{{ lan_network.offline }}"
    - "{{ lan_network.unifi }}"
    - "{{ lan_network.work }}"
  when: ('netboot' in apps)

- name: Allow access to Plex Media Server from LAN
  ufw:
    rule: allow
    name: "PlexMediaServer Full"
    src: "{{ item }}"
    comment: Allow full access to Plex Media Server from LAN
  loop:
    - "{{ lan_network.iot }}"
    - "{{ lan_network.work }}"
  when: ('plex' in apps)

- name: Allow access to Plex Media Server from Internet
  ufw:
    rule: allow
    port: "32400"
    proto: tcp
    comment: Allow access to Plex Media Server from Internet
  when: ('plex' in apps)

- name: Allow printer sharing
  ufw:
    rule: allow
    name: "CUPS"
    src: "{{ item }}"
    comment: Allow printer sharing
  loop:
    - "{{ lan_network.iot }}"
    - "{{ lan_network.work }}"
  when: ('cups' in apps)

- name: Allow MAAS communication
  ufw:
    rule: allow
    name: "MAAS"
    src: "{{ item }}"
    comment: Allow MAAS communication
  loop:
    - "{{ lan_network.kubernetes }}"
  when: ('maas' in apps)

- name: Allow UniFi access
  ufw:
    rule: allow
    name: "UniFi"
    comment: Allow UniFi communication
    src: "{{ item }}"
  loop:
    - "{{ lan_network.unifi }}"
  when: ('unifilab' in apps)

- name: Allow HTTP/HTTPS access from LAN
  ufw:
    rule: allow
    name: "Nginx Full"
    comment: Allow access to NGINX from LAN
    src: "{{ item }}"
  loop: "{{ rc1918_networks }}"
  when:
    - not ('nuc' in apps)
    - (vlan | default('cloud')) != 'cloud'

- name: Allow HTTP/HTTPS access from internet
  ufw:
    rule: allow
    name: "Nginx Full"
    comment: Allow access to NGINX from internet
  when: ('nuc' in apps) or ((vlan | default('cloud')) == 'cloud')

- name: Enable UFW
  ufw:
    state: enabled