Faster ufw, now progressively enhanced.

2025-09-18 21:43:31 +00:00 · 2024-02-18 16:10:51 -05:00 · 2024-02-18 16:10:51 -05:00 · 148d19a605
commit 148d19a605
parent f6a2a910ff
2 changed files with 42 additions and 23 deletions
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@ -11,15 +11,15 @@
    dest: /tmp/ufw_rules.sh
    mode: '0755'
    
- name: Stop ufw and delete all rules
-  become: yes
-  ufw: state=reset
-  tags: ufw
+# - name: Stop ufw and delete all rules
+#   become: yes
+#   ufw: state=reset
+#   tags: ufw

- name: Set firewall default policy
-  become: yes
-  ufw: state=disabled policy=reject
-  tags: ufw
+# - name: Set firewall default policy
+#   become: yes
+#   ufw: state=disabled policy=reject
+#   tags: ufw
 #
 # - name: Set ufw policy to deny all incoming connections
 #   ufw: policy=deny direction=incoming
--- a/ansible/roles/ufw/templates/ufw_rules.sh.j2
+++ b/ansible/roles/ufw/templates/ufw_rules.sh.j2
@ -1,24 +1,43 @@
 #!/bin/bash
-# Apply UFW rules in batch
-ufw --force reset
-ufw default deny incoming
-ufw default allow outgoing
+# Script to apply UFW rules incrementally with regex matching for `ufw status verbose` output

-# Allow SSH
-ufw allow 22
+# Fetch the current UFW status once and store it
+CURRENT_UFW_STATUS=$(ufw status verbose)

-ufw allow from 10.0.0.0/8
-ufw allow from 172.18.0.0/16
-ufw allow from 172.17.0.0/16
+# Function to check and apply a rule with regex for forward rules
+apply_rule() {
+    local rule="$1"
+    local rule_type="$2" # "IN" for incoming, "FWD" for forwarded (route) rules
+    local ip_address="$3"

+    # Construct the regex pattern based on rule type
+    local regex_pattern
+    if [ "$rule_type" == "FWD" ]; then
+        regex_pattern="ALLOW FWD\\s+$ip_address"
+    else
+        regex_pattern="ALLOW IN\\s+$ip_address"
+    fi
+
+    # Use grep with -P for Perl-compatible regex, and -q to quietly check for a match
+    if echo "$CURRENT_UFW_STATUS" | grep -Pq -- "$regex_pattern"; then
+        echo "Rule already exists: $regex_pattern"
+    else
+        echo "Applying rule: $rule"
+        ufw $rule
+    fi
+}
+
+# Apply rules
+# Example for direct allow rules
+apply_rule "allow 22" "IN" "22" # IP address parameter is not used for this rule
+
+# Example for forwarded (route) rules
 {% for host in hetzner_hosts %}
-ufw allow from {{ host }}
-ufw route allow from {{ host }}
+apply_rule "allow from {{ host }}" "IN" "{{ host }}"
+apply_rule "route allow from {{ host }}" "FWD" "{{ host }}"
 {% endfor %}

 {% for host in do_hosts %}
-ufw allow from {{ host }}
-ufw route allow from {{ host }}
+apply_rule "allow from {{ host }}" "IN" "{{ host }}"
+apply_rule "route allow from {{ host }}" "FWD" "{{ host }}"
 {% endfor %}
-
-ufw --force enable