Ufw manage defaults

README.md

@@ -51,6 +51,11 @@ It will not:
 * `os_security_suid_sgid_whitelist: []` - a list of paths which should not have their SUID/SGID bits altered
 * `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
 * `os_security_packages_clean': true` - removes packages with known issues. See section packages.
+* `ufw_manage_defaults` - true means apply all settings with ufw_ prefix
+* `ufw_ipt_sysctl` - by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example: /etc/ufw/sysctl.conf. 
+* `ufw_default_input_policy` - DROP
+* `ufw_default_output_policy` - ACCEPT
+* `ufw_default_forward_policy` - DROP
 
 ## Packages
 

defaults/main.yml

@@ -40,6 +40,23 @@ os_security_init_prompt: true
 # Require root password for single user mode. (rhel, centos)
 os_security_init_single: false
 
+# Apply ufw defaults
+ufw_manage_defaults: true
+
+# Empty variable disables IPT_SYSCTL in /etc/default/ufw
+# by default in Ubuntu it set to: /etc/ufw/sysctl.conf
+# CAUTION
+# if you enable it - it'll overwrite /etc/sysctl.conf file, managed by hardening framework
+ufw_ipt_sysctl: ''
+
+# Default ufw variables
+ufw_default_input_policy: 'DROP'
+ufw_default_output_policy: 'ACCEPT'
+ufw_default_forward_policy: 'DROP'
+ufw_default_application_policy: 'SKIP'
+ufw_manage_builtins: 'no'
+ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns'
+
 # CAUTION
 # If you want to overwrite sysctl-variables,
 # you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.

tasks/sysctl.yml

@@ -35,3 +35,8 @@
     ignoreerrors: yes
   with_dict: '{{ sysctl_rhel_config }}'
   when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'
+
+- name: Apply ufw defaults
+  template: src="ufw.j2" dest=/etc/default/ufw
+  when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
+  tags: ufw

templates/ufw.j2

@@ -0,0 +1,44 @@
+# /etc/default/ufw
+#
+
+# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
+# accepted). You will need to 'disable' and then 'enable' the firewall for
+# the changes to take affect.
+IPV6={{ 'no' if sysctl_config['net.ipv6.conf.all.disable_ipv6'] is defined and sysctl_config['net.ipv6.conf.all.disable_ipv6'] == 1 else 'yes' }}
+
+# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
+# you change this you will most likely want to adjust your rules.
+DEFAULT_INPUT_POLICY="{{ ufw_default_input_policy }}"
+
+# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
+# you change this you will most likely want to adjust your rules.
+DEFAULT_OUTPUT_POLICY="{{ ufw_default_output_policy }}"
+
+# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
+# if you change this you will most likely want to adjust your rules
+DEFAULT_FORWARD_POLICY="{{ ufw_default_forward_policy }}"
+
+# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
+# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
+# details
+DEFAULT_APPLICATION_POLICY="{{ ufw_default_application_policy }}"
+
+# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
+# manage the built-in chains too. Warning: setting this to 'yes' will break
+# non-ufw managed firewall rules
+MANAGE_BUILTINS="{{ ufw_manage_builtins }}"
+
+#
+# IPT backend
+#
+# only enable if using iptables backend and want to overwrite /etc/sysctl.conf
+{% if ufw_ipt_sysctl == '' %}#{% endif %}IPT_SYSCTL={{ ufw_ipt_sysctl }}
+
+# Extra connection tracking modules to load. Complete list can be found in
+# net/netfilter/Kconfig of your kernel source. Some common modules:
+# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
+# nf_conntrack_netbios_ns: NetBIOS (samba) client support
+# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
+# nf_conntrack_ftp, nf_nat_ftp: active FTP support
+# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
+IPT_MODULES="{{ ufw_ipt_modules }}"