I'm trying to configure UFW in Ansible like this:
- name: Set firewall default policy
ufw: state=enabled policy=reject
sudo: true
- name: Allow SSH in UFW
ufw: rule=allow port=22 proto=tcp
The problem is that as soon as the "Set firewall default policy" is executed ansible drops the connection to the server:
TASK: [Set firewall default policy] *******************************************
changed: [xxx]
TASK: [Allow SSH in UFW] ******************************************************
fatal: [xxx] => {'msg': 'FAILED: [Errno 61] Connection refused', 'failed': True}
FATAL: all hosts have already failed -- aborting
To me it looks like the SSH session is terminated when the reject
policy has been applied. How do I solve this? I'm logging in with username/password authentication (i.e. no SSH key) if that makes any difference.
The order you add rules to the UFW is not important. So you can just reverse order of rules. The trick is to add rule to allow your current connection before adding the default rule, which will deny it (and therefore instantly disconnect).
- name: Allow SSH in UFW
ufw: rule=allow port=22 proto=tcp
- name: Set firewall default policy
ufw: state=enabled policy=reject
become: true
Here is the solution that worked for me, from ansible github
- name: Configure the kernel to keep connections alive when enabling the firewall
sysctl:
name: net.netfilter.nf_conntrack_tcp_be_liberal
value: 1
state: present
sysctl_set: yes
reload: yes
- name: Enable ufw
ufw: state=enabled
You will need to install ansible.posix on the host machine with
ansible-galaxy collection install ansible.posix
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With