From 8d7d07020117c7bca9f66d3d17f72260a389ee31 Mon Sep 17 00:00:00 2001
From: Chris Lamb <chris@chris-lamb.co.uk>
Date: Sat, 23 Apr 2016 07:01:19 +0100
Subject: [PATCH] =?UTF-8?q?system/ufw.py:=20Add=20security=20warning=20re.?=
 =?UTF-8?q?=20removing=20ufw=20application=20prof=E2=80=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's not particularly obvious that removing an application will remove it
from ufw's own state, potentially leaving ports open on your box if you
upload your configuration.

Whilst this applies to a lot of things in Ansible, firewall rules might
cross some sort of line that justifies such a warning in his instance.

Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
---
 system/ufw.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/system/ufw.py b/system/ufw.py
index cd148edf2ef..89376e7c22e 100644
--- a/system/ufw.py
+++ b/system/ufw.py
@@ -142,7 +142,9 @@ ufw: rule=reject port=auth log=yes
 # for details. Typical usage is:
 ufw: rule=limit port=ssh proto=tcp
 
-# Allow OpenSSH
+# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
+# a rule=allow task can leave those ports exposed. Either use delete=yes
+# or a separate state=reset task)
 ufw: rule=allow name=OpenSSH
 
 # Delete OpenSSH rule