From c0787b12ceeee4eee0c2139d25dc817b14eba3ef Mon Sep 17 00:00:00 2001
From: Chris Lamb <chris@chris-lamb.co.uk>
Date: Sat, 23 Apr 2016 07:01:19 +0100
Subject: [PATCH] =?UTF-8?q?system/ufw.py:=20Add=20security=20warning=20re.?=
 =?UTF-8?q?=20removing=20ufw=20application=20prof=E2=80=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's not particularly obvious that removing an application will remove it
from ufw's own state, potentially leaving ports open on your box if you
upload your configuration.

Whilst this applies to a lot of things in Ansible, firewall rules might
cross some sort of line that justifies such a warning in his instance.

Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
---
 lib/ansible/modules/extras/system/ufw.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/ansible/modules/extras/system/ufw.py b/lib/ansible/modules/extras/system/ufw.py
index cd148edf2e..89376e7c22 100644
--- a/lib/ansible/modules/extras/system/ufw.py
+++ b/lib/ansible/modules/extras/system/ufw.py
@@ -142,7 +142,9 @@ ufw: rule=reject port=auth log=yes
 # for details. Typical usage is:
 ufw: rule=limit port=ssh proto=tcp
 
-# Allow OpenSSH
+# Allow OpenSSH. (Note that as ufw manages its own state, simply removing
+# a rule=allow task can leave those ports exposed. Either use delete=yes
+# or a separate state=reset task)
 ufw: rule=allow name=OpenSSH
 
 # Delete OpenSSH rule