Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure UFW reject policy in ansible without being disconnected?

Tags:

ansible

ufw

I'm trying to configure UFW in Ansible like this:

- name: Set firewall default policy
  ufw: state=enabled policy=reject
  sudo: true

- name: Allow SSH in UFW
  ufw: rule=allow port=22 proto=tcp

The problem is that as soon as the "Set firewall default policy" is executed ansible drops the connection to the server:

TASK: [Set firewall default policy] *******************************************
changed: [xxx]

TASK: [Allow SSH in UFW] ******************************************************
fatal: [xxx] => {'msg': 'FAILED: [Errno 61] Connection refused', 'failed': True}

FATAL: all hosts have already failed -- aborting

To me it looks like the SSH session is terminated when the reject policy has been applied. How do I solve this? I'm logging in with username/password authentication (i.e. no SSH key) if that makes any difference.

like image 402
Johan Avatar asked Aug 28 '15 15:08

Johan


2 Answers

The order you add rules to the UFW is not important. So you can just reverse order of rules. The trick is to add rule to allow your current connection before adding the default rule, which will deny it (and therefore instantly disconnect).

- name: Allow SSH in UFW
  ufw: rule=allow port=22 proto=tcp

- name: Set firewall default policy
  ufw: state=enabled policy=reject
  become: true
like image 63
Yaroslav Admin Avatar answered Sep 28 '22 21:09

Yaroslav Admin


Here is the solution that worked for me, from ansible github

- name: Configure the kernel to keep connections alive when enabling the firewall
  sysctl:
    name: net.netfilter.nf_conntrack_tcp_be_liberal
    value: 1
    state: present
    sysctl_set: yes
    reload: yes

- name: Enable ufw
  ufw: state=enabled

You will need to install ansible.posix on the host machine with

ansible-galaxy collection install ansible.posix
like image 20
Bix Avatar answered Sep 28 '22 20:09

Bix