network related sysctl rewritten by ufw in ubuntu

[fitz123]

So, there's a thing.
By default in ubuntu if you enable(or reload) ufw (or reboot the system), you have applied all sort of different sysctl values from /etc/ufw/sysctl.conf over standard /etc/sysctl.conf
This behavior can be disabled by commenting out IPT_SYSCTL=/etc/ufw/sysctl.conf line in /etc/default/ufw

I'm going to add replace task in sysctl.yml to comment out this line. Is there any ideas to deal with it by another way? Or objections to use replace module?

Or maybe reasons don't do it at all?
I think it's a security issue, which prevents from applying a lot of important sysctl values, so as for me, It's clearly framework's job do deal with it

[fitz123]

#84

[rndmh3ro]

I think that's a good idea, there's one confusion less when dealing with ubuntu and the kernel parameters.
However I have three requests:

• please do not use the replace or lineinfile module for this. In the beginning of the heardening modules we opted for replacing the whole files we're managing instead of fumbling in the files. So please roll out a template file.
• use a template file and a option in the defaults (default: true), so the setting is changable by the user.
  e.g.:

- name: Disable sysctl.conf applied by ufw
  template: src="ufw.j2" dest=...
  when: disable_uwf_sysctl and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')

• add the new variable to the readme

[fitz123]

I doubt it's a good idea to do it by default, since there a lot of options inside /etc/default/ufw, like IPv6 and default firewall policies. So I'd rather make it false by default and try to describe it in readme

[rndmh3ro]

Yes, thats okay, too. I just thought you wanted to enable it by default.

[fitz123]

I do want enable it for myself, but since there default firewall policies, it could have bad affect on some users who didn't expect get fw policies changed)

[fitz123]

actually I'll make a big change then, integrating most of variables from this file into role, to let users ability change them if they need, applying reasonable secure defaults
Let me finish and you'll see

[fitz123]

check this out #85
I did everything you mentioned. I implemented a little bit logic, like setting variable for IPV6 according to sysctl dictionary. Also some variables I left as default and didn't include neither into README or to defaults variables, because IMHO users really rare want to change it. So IMHO including those into defaults/README kind of overload users by additional(not necessary) info, but in other side I left them as variables so users theoretically could change them if they really want.
So in summary, make it in a way I think is reasonable, but any criticism are welcome =)

[rndmh3ro]

Thanks for this PR, I think that could be useful! I added some comments to the PR that I'd like you to consider!