git clone [email protected]/pyykkis/ansible-ufw-example
cd ansible-ufw-example
vagrant up
In this example, ansible and vagrant are used to provision precise64 box. Ansible sets up following services
- ufw
rejectas a default policy- allow/22 for OpenSSH
- nginx
- ports 80 and 443 are rejected by ufw as no allow rule is specified for them
Firewall settings can be explored from the host machine using nmap, or simply by
curl 192.168.0.2.
More information about UFW in general and Ansible ufw module in particular can be found from Ubuntu UncomplicatedFirewall documentation and Ansible UFW module documentation
Using reject as a default policy is recommended by multiple sources, as drop doesn't really help with security,
and is a major PITA when debugging distributed systems [1], [2].
References:
[1]: Why Firewall Reject Rules Are Better Than Firewall Drop Rules
[2]: Drop versus Reject