From bd52fd5733c34a85981a61a917a8812af80a3e2e Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 28 Oct 2018 22:18:51 -0700
Subject: [PATCH] add firewall configuration

---
 roles/common/tasks/main.yml     | 23 +++++++++++++++++++++++
 roles/common/tasks/software.yml |  1 +
 2 files changed, 24 insertions(+)

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 7d08d84..49e2c96 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -79,3 +79,26 @@
 - include: software.yml
 - include: users.yml
 - include: raspi-config.yml
+
+# Configure firewall
+- name: allow SSH through UFW
+  ufw:
+    rule: allow
+    port: ssh
+    proto: tcp
+    log: yes
+
+- name: set default incoming UFW policy to deny
+  ufw:
+    direction: incoming
+    policy: deny
+
+- name: set default outgoing UFW policy to deny
+  ufw:
+    direction: outgoing
+    policy: allow
+
+- name: enable UFW
+  ufw:
+    state: enabled
+    logging: yes
diff --git a/roles/common/tasks/software.yml b/roles/common/tasks/software.yml
index 816ec2b..077387a 100644
--- a/roles/common/tasks/software.yml
+++ b/roles/common/tasks/software.yml
@@ -31,5 +31,6 @@
       - vim
       - git
       - python-pip
+      - ufw
   tags:
     - sw