---
- name: system setup | firewall | install ufw
  package:
    name: ufw
    state: present

- name: system setup | firewall | deny all incoming traffic by default and enable firewall
  community.general.ufw:
    state: enabled
    policy: deny

- name: system setup | firewall | allow ssh from anywhere
  community.general.ufw:
    rule: allow
    port: '22'
    proto: tcp
    src: 'any'

- name: system setup | firewall | allow ping (ICMP) from internal network via iptables rule
  blockinfile:
    path: /etc/ufw/user.rules
    marker: "### {mark} ANSIBLE MANAGED BLOCK (ICMP for internal network)"
    insertbefore: "^COMMIT"
    block: |
      # Allow incoming ICMP (ping) requests from internal network
      -A ufw-user-input -p icmp --icmp-type echo-request -s 192.168.1.0/24 -j ACCEPT
  notify: reload ufw firewall

- name: system setup | firewall | allow other monitoring traffic from internal networks
  community.general.ufw:
    rule: allow
    proto: "{{ item.proto }}"
    port: "{{ item.port | default(omit) }}"
    src: '192.168.1.0/24' # Passe dies an dein internes Netzwerk an
  loop:
    - { proto: 'udp', port: '161', comment: 'Allow SNMP' }