��
�Udac������������@`��s����d��d��l��m��Z��m��Z��m��Z���e��Z��i��d��d��6d��g��d��6d��d��6Z��d��Z��d �Z��d��d
�l �Z �d��d��l
�m��Z���d��d��l��m
�Z
��d
����Z��d�����Z��d�����Z��e��d��k��r��e������n��d
�S(����i����(����t����absolute_importt����divisiont����print_functions����1.1t����metadata_versiont����previewt����statust ���communityt����supported_bysh���
---
module: ufw
short_description: Manage firewall with UFW
description:
- Manage firewall with UFW.
version_added: 1.6
author:
- Aleksey Ovcharenko (@ovcharenko)
- Jarno Keskikangas (@pyykkis)
- Ahti Kitsik (@ahtik)
notes:
- See C(man ufw) for more examples.
requirements:
- C(ufw) package
options:
state:
description:
- C(enabled) reloads firewall and enables firewall on boot.
- C(disabled) unloads firewall and disables firewall on boot.
- C(reloaded) reloads firewall.
- C(reset) disables and resets firewall to installation defaults.
type: str
choices: [ disabled, enabled, reloaded, reset ]
default:
description:
- Change the default policy for incoming or outgoing traffic.
type: str
choices: [ allow, deny, reject ]
aliases: [ policy ]
direction:
description:
- Select direction for a rule or default policy command.
type: str
choices: [ in, incoming, out, outgoing, routed ]
logging:
description:
- Toggles logging. Logged packets use the LOG_KERN syslog facility.
type: str
choices: [ 'on', 'off', low, medium, high, full ]
insert:
description:
- Insert the corresponding rule as rule number NUM.
- Note that ufw numbers rules starting with 1.
type: int
insert_relative_to:
description:
- Allows to interpret the index in I(insert) relative to a position.
- C(zero) interprets the rule number as an absolute index (i.e. 1 is
the first rule).
- C(first-ipv4) interprets the rule number relative to the index of the
first IPv4 rule, or relative to the position where the first IPv4 rule
would be if there is currently none.
- C(last-ipv4) interprets the rule number relative to the index of the
last IPv4 rule, or relative to the position where the last IPv4 rule
would be if there is currently none.
- C(first-ipv6) interprets the rule number relative to the index of the
first IPv6 rule, or relative to the position where the first IPv6 rule
would be if there is currently none.
- C(last-ipv6) interprets the rule number relative to the index of the
last IPv6 rule, or relative to the position where the last IPv6 rule
would be if there is currently none.
type: str
choices: [ first-ipv4, first-ipv6, last-ipv4, last-ipv6, zero ]
default: zero
version_added: "2.8"
rule:
description:
- Add firewall rule
type: str
choices: [ allow, deny, limit, reject ]
log:
description:
- Log new connections matched to this rule
type: bool
from_ip:
description:
- Source IP address.
type: str
default: any
aliases: [ from, src ]
from_port:
description:
- Source port.
type: str
to_ip:
description:
- Destination IP address.
type: str
default: any
aliases: [ dest, to]
to_port:
description:
- Destination port.
type: str
aliases: [ port ]
proto:
description:
- TCP/IP protocol.
type: str
choices: [ any, tcp, udp, ipv6, esp, ah, gre, igmp ]
aliases: [ protocol ]
name:
description:
- Use profile located in C(/etc/ufw/applications.d).
type: str
aliases: [ app ]
delete:
description:
- Delete rule.
type: bool
interface:
description:
- Specify interface for rule.
type: str
aliases: [ if ]
route:
description:
- Apply the rule to routed/forwarded packets.
type: bool
comment:
description:
- Add a comment to the rule. Requires UFW version >=0.35.
type: str
version_added: "2.4"
s����
- name: Allow everything and enable UFW
ufw:
state: enabled
policy: allow
- name: Set logging
ufw:
logging: 'on'
# Sometimes it is desirable to let the sender know when traffic is
# being denied, rather than simply ignoring it. In these cases, use
# reject instead of deny. In addition, log rejected connections:
- ufw:
rule: reject
port: auth
log: yes
# ufw supports connection rate limiting, which is useful for protecting
# against brute-force login attacks. ufw will deny connections if an IP
# address has attempted to initiate 6 or more connections in the last
# 30 seconds. See http://www.debian-administration.org/articles/187
# for details. Typical usage is:
- ufw:
rule: limit
port: ssh
proto: tcp
# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
# a rule=allow task can leave those ports exposed. Either use delete=yes
# or a separate state=reset task)
- ufw:
rule: allow
name: OpenSSH
- name: Delete OpenSSH rule
ufw:
rule: allow
name: OpenSSH
delete: yes
- name: Deny all access to port 53
ufw:
rule: deny
port: '53'
- name: Allow port range 60000-61000
ufw:
rule: allow
port: 60000:61000
proto: tcp
- name: Allow all access to tcp port 80
ufw:
rule: allow
port: '80'
proto: tcp
- name: Allow all access from RFC1918 networks to this host
ufw:
rule: allow
src: '{{ item }}'
loop:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- name: Deny access to udp port 514 from host 1.2.3.4 and include a comment
ufw:
rule: deny
proto: udp
src: 1.2.3.4
port: '514'
comment: Block syslog
- name: Allow incoming access to eth0 from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
ufw:
rule: allow
interface: eth0
direction: in
proto: udp
src: 1.2.3.5
from_port: '5469'
dest: 1.2.3.4
to_port: '5469'
# Note that IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.
- name: Deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host
ufw:
rule: deny
proto: tcp
src: 2001:db8::/32
port: '25'
- name: Deny all IPv6 traffic to tcp port 20 on this host
# this should be the first IPv6 rule
ufw:
rule: deny
proto: tcp
port: '20'
to_ip: "::"
insert: 0
insert_relative_to: first-ipv6
- name: Deny all IPv4 traffic to tcp port 20 on this host
# This should be the third to last IPv4 rule
# (insert: -1 addresses the second to last IPv4 rule;
# so the new rule will be inserted before the second
# to last IPv4 rule, and will be come the third to last
# IPv4 rule.)
ufw:
rule: deny
proto: tcp
port: '20'
to_ip: "::"
insert: -1
insert_relative_to: last-ipv4
# Can be used to further restrict a global FORWARD policy set to allow
- name: Deny forwarded/routed traffic from subnet 1.2.3.0/24 to subnet 4.5.6.0/24
ufw:
rule: deny
route: yes
src: 1.2.3.0/24
dest: 4.5.6.0/24
N(����t
���itemgetter(����t
���AnsibleModulec������������C`��s����d��}��|��d��7}��t��j��|�����S(����Ns1���((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}s(���(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])(����t����ret����compile(����t����r(����(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����compile_ipv4_regexp����s��������
�c������������C`��sm���d��}��|��d��7}��|��d��7}��|��d��7}��|��d��7}��|��d��7}��|��d��7}��|��d��7}��|��d �7}��|��d
�7}��t��j��|�����S(����s����
validation pattern provided by :
https://stackoverflow.com/questions/53497/regular-expression-that-matches-
valid-ipv6-addresses#answer-17871737
sC���(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:sC���|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}sD���(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4})sC���{1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]sD���{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]sC���{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4})sC���{0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]sB���|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}sC���[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}s7���[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(����R
���R����(����R����(����(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����compile_ipv6_regexp����s��������
�
�
�
�
�
�
�
�
�c����/���0����`��s����d��d��d��d��g��}��t��d��t��d��t��d��d��d��d �d
�d��d��g�����d��t��d��d��d
�d��g��d��d��d��d��g�����d��t��d��d��d��d��d��d��d��d��d��g�����d��t��d��d��d��d��d��d��d��d��g�����d��t��d��d��d��t�����d �t��d��d��d��t�����d!�t��d��d"����d#�t��d��d$�d%�d&�d'�d(�g��d��d$����d��t��d��d��d��d��d��d)�d��g�����d*�t��d��d��d
�d+�g�����d,�t��d��d��d��t�����d-�t��d��d��d��d.�d
�d/�d0�g�����d1�t��d��d�����d2�t��d��d��d��d.�d
�d3�d4�g�����d5�t��d��d��d
�d6�g�����d7�t��d��d��d
�d8�g��d��d9�d.�d:�d;�d<�d=�d>�d?�g�����d@�t��d��d��d
�dA�g�����dB�t��d��d��������dC�t��dD�d@�d7�d��g��g��dE�|��g��dF�t��d*�dy����������g�����t��������t��������dG����}��dH����}��dI����}��dJ�������������f��dK����}��������f��dL����}�����f��dM����}�����f��dN����}��t��������f��dO�������������f��dP����}�����������f��dQ����} ����j�����t�����f��dR����|��D������}
����j��dS�t�����������j��dT�t��������������g��dU�g��g�����}��|�����}��t��}
�x��|
�j�����D]��\��}��}�����g�����j �dV�g��g��}��|��d��k��rf�i��dW�d �6dX�d
�6dY�d��6d��d��6}��|��dz�k��r��t��}
�n�����j �rE�|��j
�dZ����d[�k��}��|��d
�k��r&�|��s9�|��d �k��rc�|���rc�t��}
�qc�q�����|��d\�g��|��|���g��g�������q��|��d��k��r4�t��j��d]�|�����}��|��r��|��j
�d^����}��|��j
�d_����}��|��d��k��r��|��d��k��r��t��}
�q��|��d��k��r��|��|��k��r��t��}
�q��q��|��d��k��r��t��}
�q��n��t��}
����j �s�����|��|��g��|��g��g�������q��q��|��d��k��r1����d���d{�k��rc����j��d`�da�����n�����j �r
�db�}��t��j��|��|�����}��|��d��k �r��i��}��|��j
�d_����|��d��<|��j
�d^����|��d��<|��j
�dc����|��d��<|�����d���p��d���}��|��|��d
�f��k��r��t��}
�q��q.�t��}
�q�����|��|��g��|��g�����d���g��g�������q��|��d��k��r�����d���d|�k��r`����j��d`�dd�����n��|��j�����j�����d �����d �g������|��j�����j�����d������d��g���������d!��d��k �r�����d#��}��|��d$�k��r�����d!��}��n�����j�����de�df�g�����\��}��}��}��t��j��dg����}��g��|��j�����D]!�}��|��j��|�����dh�|��k��f��^��q��}��g��|��D]-�\��} �}!�| �r>�t��| �j
�d_�������|!�f��^��q>�}��|��r��t��g��|��D]��\��}"�}!�|"�^��q�����n��di�}#�t��g��|��D]��\��}"�}!�|!��^��q�����}$�t��g��|��D]��\��}"�}!�|!�^��q�����}%�|��d%�k��r��d_�}&�n��|��d&�k��rH�|$�r?�t��g��|��D]��\��}"�}!�|!�s��|"�^��q�����n��d_�}&�no�|��d'�k��r��|$�r��t��g��|��D]��\��}"�}!�|!�sd�|"�^��qd����d_��n��d_�}&�n%�|��d(�k��r��|%�r��|#�n��|#�d_��}&�n�����d!��|&��}��|��|#�k��r��d��}��n��|��j��|��d��k �dj�|���g������n��|��j��|��g������|��j�����d���dk����d����g������|��j�����d*��dl����d*���g������|��j�����j�����d,�����d,�g������xG�d}�d~�d�d��d��d��g��D]-�\��}'�}(����|'��}��|��j��|��|(�|���g������q� W| ����\��})�}*�}��|)�di�k��r� |*�dr�k��s� |)�di�k��r
|��j�����dB��ds����dB���g������n�����|�����}+����j �r��t��|��dt�|+�������},�|,�di�k��oX
|,�t��|+�j��t��������k��s
�|��du�|+����}+�|�����d-�����s�
|�����d2�����r�
|��|�����|��|+����k��r��t��}
�q��q
�|�����d-�����s�
|�����d2�����r�
|��|�����|��|+����k��r��t��}
�q��q
�|��|+�k��r
�t��}
�q
�q
�q��q��q��W���j �r3����j��dv�|
�dw�������S������g��de�g��dx�g��g�����}-�|
�s{�|�����}.�|��|-�k��pu�|��|.�k��}
�n�����j��dv�|
�dw����d`�|-�j��������Sd��S(����Nt����statet����defaultt����rulet����loggingt
���argument_spect����typet����strt����choicest����enabledt����disabledt����reloadedt����resett����aliasest����policyt����allowt����denyt����rejectt����fullt����hight����lowt����mediumt����offt����ont ���directiont����int����incomingt����outt����outgoingt����routedt����deletet����boolt����routet����insertt����intt����insert_relative_tot����zeros
���first-ipv4s ���last-ipv4s
���first-ipv6s ���last-ipv6t����limitt ���interfacet����ift����logt����from_ipt����anyt����fromt����srct ���from_portt����to_ipt����destt����tot����to_portt����portt����protot����protocolt����aht����espt����ipv6t����tcpt����udpt����gret����igmpt����namet����appt����commentt����supports_check_modet����mutually_exclusivet����required_one_oft����required_byc������������S`��s8���d��j��g��|��j��t�����D]��}��|��j��|�����r��|��^��q�����S(����Nt����(����t����joint
���splitlinest����Truet
���startswith(����t����patternt����contentt����line(����(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����filter_line_that_not_start_withV���s������c������������S`��s,���g��|��j��t�����D]��}��|��|��k��r��|��^��q��S(����N(����RS���RT���(����RV���RW���RX���(����(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����filter_line_that_containsY���s������c������������S`��s8���d��j��g��|��j��t�����D]��}��|��j��|�����s��|��^��q�����S(����NRQ���(����RR���RS���RT���t����contains(����RV���RW���RX���(����(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����filter_line_that_not_contains\���s������c������������S`��s;���d��j��g��|��j��t�����D]��}��|��|�����d��k �r��|��^��q�����S(����NRQ���(����RR���RS���RT���t����None(����t
���match_funcRW���RX���(����(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����filter_line_that_match_func_���s������c�������������`��s����������j��|�����S(����N(����t����search(����RW���(����R_���t����ipv4_regexp(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����filter_line_that_contains_ipv4b���s������c�������������`��s����������j��|�����S(����N(����R`���(����RW���(����R_���t����ipv6_regexp(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����filter_line_that_contains_ipv6e���s������c�������������`��s�������j��|�����d��k �S(����N(����t����matchR]���(����t����ip(����Ra���(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����is_starting_by_ipv4h���s������c�������������`��s�������j��|�����d��k �S(����N(����Re���R]���(����Rf���(����Rc���(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����is_starting_by_ipv6k���s������c�������������`��s����d��j��t��t��d�����t��t��d�����|�����������}�����j��|���������j��|��d��i��d��d��6���\��}��}��}��|��d��k��r��|���r�����j��d��|��p��|��d���������n��|��S( ���Nt���� i����i����t����environ_updatet����Ct����LANGt����msgt����commands(����RR���t����mapR����t����filtert����appendt����run_commandt ���fail_json(����t����cmdt����ignore_errort����rcR)���t����err(����t����cmdst����module(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����executen���s������-�
�%�����c�������������`��sc���d��d��d��d��d��d��g��}�����g��d��g��d��g��g��}��|��j��g��|��D]��}��|��g��^��q=��������|��d �t�����S(
���Ns����/lib/ufw/user.ruless����/lib/ufw/user6.ruless����/etc/ufw/user.ruless����/etc/ufw/user6.ruless����/var/lib/ufw/user.ruless����/var/lib/ufw/user6.ruless����-hs����'^### tuple'Ru���(����t����extendRT���(����t����user_rules_filesRt���t����f(����Rz���t����grep_bin(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����get_current_rulesy���s���������������� ���#�c�������������`��s(���������g��d��g��g�����}��g��|��j��d�����D]��}��|��j�����d��k��r(�|��^��q(�}��t��|�����d��k��r}����j��d��d��d��d��d��|������n��t��j��d �|��d������}��|��d
�k��r�����j��d��d��d��d��d��|������n��t��|��j��d
�������}��t��|��j��d��������}��d��}��|��j��d�����d
�k �r��t��|��j��d��������}��n��|��|��|��f��S(����sU���
Returns the major and minor version of ufw installed on the system.
s ���--versions����
RQ���i����Rm���s����Failed to get ufw version.Rv���R)���s!���^ufw.+(\d+)\.(\d+)(?:\.(\d+))?.*$i����i����i����N( ���t����splitt����stript����lenRs���R
���R`���R]���R0���t����group(����R)���t����xt����linest����matchest����majort����minort����rev(����Rz���Ry���t����ufw_bin(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����ufw_version����s��������4���������������������c������������3`��s)���|��]��}�����|���r��|�����|���f��V�q��d��S(����N(����(����t����.0t����key(����t����params(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pys ���<genexpr>����s������t����ufwt����greps����status verboses ���--dry-runt����enablet����disablet����reloads���� activei����s����-fs#���Logging: (on|off)(?: \(([a-z]+)\))?i����i����Rm���sn���For default, direction must be one of "outgoing", "incoming" and "routed", or direction must not be specified.st���Default: (deny|allow|reject) \(incoming\), (deny|allow|reject) \(outgoing\), (deny|allow|reject|disabled) \(routed\)i����sW���For rules, direction must be one of "in" and "out", or direction must not be specified.R����t����numbereds����^\[ *([0-9]+)\] s����(v6)i����s ���insert %ss����%ss����on %ss����from %ss����port %ss����to %ss����proto %ss����app '%s'i#���s����comment '%s't����Skippings ���### tuplet����changedRn���t����verbose(����R&���(����R����s����reset(����R*���R(���R+���N(����s����ins����outN(����R7���s����from %s(����R;���s����port %s(����R<���s����to %s(����R?���s����port %s(����RA���s����proto %s(����RJ���s����app '%s'(����R ���t����dictt����FalseRT���R
���R����R����t����get_bin_patht����itemst
���check_modet����findR
���R`���R����R]���Rs���Rq���t����booleanRr���R����RS���Re���R0���t����maxR8���R����t ���exit_jsont����rstrip(/���t����command_keysRY���RZ���R\���Rb���Rd���Rg���Rh���R���R����Rn���t ���pre_statet ���pre_rulesR����t����commandt����valueRt���t����statest����ufw_enabledt����extractt
���current_levelt����current_on_off_valuet����regexpt����current_default_valuest����vt����relative_to_cmdt ���insert_tot����dummyt����numbered_statet����numbered_line_reRX���R����t����matcherRE���t����not����last_numbert����has_ipv4t����has_ipv6t����relative_toR����t����templatet ���ufw_majort ���ufw_minort ���rules_dryt����nb_skipping_linet
���post_statet
���post_rules(����( ���Rx���Rz���R_���R~���Ra���Rc���Ry���R����R����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����main/���s,�����������!�'�'�$�������$�!�����!���!���6��������� ������� � � � � � ������������
�� ��������� ��������������� � ���%���!��������������� ����������� � ������� ��������������������� �'������� � ���
���
�!���4�:�1�&�%��� ���:���>��������� � ������� � �����
�����$�"��� ���'��� ����� ��������� ������� ���t����__main__(����t
���__future__R����R����R����R����t
���__metaclass__t����ANSIBLE_METADATAt
���DOCUMENTATIONt����EXAMPLESR
���t����operatorR����t����ansible.module_utils.basicR ���R
���R����R����t����__name__(����(����(����s>���/usr/lib/python2.7/site-packages/ansible/modules/system/ufw.pyt����<module>
���s��������
�
�
��������� � � �����
Anons79 File Manager Version 1.0, Coded By Anons79
Email: [email protected]
Anons79 Mini Shell