design.md 1.5 KB
Context
The base role's UFW tasks in roles/base/tasks/main.yml currently run in this order:
- Enable UFW with
policy: deny(default deny all incoming) - Allow SSH port through UFW
- Allow other configured ports through UFW
Between steps 1 and 2, UFW is active with zero allow rules. While UFW typically doesn't drop established connections, this ordering violates the best practice of "allow before deny" and can cause issues depending on how UFW handles the policy change mid-session.
Goals / Non-Goals
Goals:
- Ensure all allow rules are in place before UFW's deny policy is activated
- Prevent SSH disconnection during Ansible playbook execution
Non-Goals:
- No changes to which ports are allowed or denied
- No changes to SSH hardening, fail2ban, or other base role functionality
Decisions
Swap the task order: allow SSH and other ports first, then enable UFW with the deny policy. This ensures the firewall is enabled with all necessary rules already in place.
Alternatives considered:
- Add a
routerule to allow the current Ansible connection before enabling UFW: overcomplicated, UFW's rule ordering is sufficient. - Use
ufw resetbefore enabling: unnecessary and would remove any existing custom rules.
Risks / Trade-offs
- [Brief window between allow rules and UFW enable where no firewall is active] → Mitigation: this is acceptable since the server is in the middle of an Ansible provisioning run and was previously unprotected anyway.