Changing UFW rules

Does anyone have a solution for dealing with changes to UFW rules in Ansible? The issue is that occasionally, I have to change a rule in some way (change IPs/networks, change port) but the old rule still remains. I could add a separate, special rule to delete the old version but that seems overly fiddly to me.

When I was first playing around with this, I did have a rule at the beginning of my firewall playbook that reset UFW on every run before applying the rule tasks but I decided to remove it because it seems like the wrong approach.

Thanks,
Guy

I’d recommend handling it much the same way I recommend handling users. Create a var containing the rules and state of the rule. And have it loop using with_items. Something like:

ufw_rules:

  • port: 22
    rule: allow
    proto: tcp
  • port: 80
    delete: yes
    rule: allow
    proto: tcp

and then a task like:

ufw:
port: “{{ item.port }}”
rule: “{{ item.rule }}”
proto: “{{ item.proto }}”
delete: “{{ item.delete|default(omit) }}”
with_items: “{{ ufw_rules }}”

In the above, if delete is specified it is used, otherwise, if missing that param is omitted. This is effectively how we handle this today.