Hardening a host firewall service

The following code snippet is for installing and configuring the uncomplicated firewall (UFW) with its required services and rules. Ansible even has a module for UFW, so the following snippet starts with installing this and enabling logging. It follows this by adding default policies, like default denying all incoming and allowing outgoing. 

Then it will add SSH, HTTP, and HTTPS services to allow incoming. These options are completely configurable, as required. Then it will enable and add to startup programs that apply the changes:

- name: installing ufw package
  apt:
    name: "ufw"
    update_cache: yes
    state: present

- name: enable ufw logging
  ufw:
    logging: on

- name: default ufw setting
  ufw:
    direction: "{{ item.direction }}"
    policy: "{{ item.policy }}"

  with_items:
    - { direction: 'incoming', policy: 'deny' }
    - { direction: 'outgoing', policy: 'allow' }

- name: allow required ports to access server
  ufw:
    rule: "{{ item.policy }}"
    port: "{{ item.port }}"
    proto: "{{ item.protocol }}"

  with_items:
    - { port: "22", protocol: "tcp", policy: "allow" }
    - { port: "80", protocol: "tcp", policy: "allow" }
    - { port: "443", protocol: "tcp", policy: "allow" }

- name: enable ufw
  ufw:
    state: enabled

- name: restart ufw and add to start up programs
  service:
    name: ufw
    state: restarted
    enabled: yes