This role configures the firewall on machines that are using firewalld.
For the configuration the role uses the firewalld client interface
which is available in RHEL-7 and later.
The configuration of the firewall could limit access to the machine over the
network. Therefore it is needed to make sure that the SSH port is still
accessible for the ansible server.
WARNING: If the configuration failed or if the firewall configuration limits
access to the machine in a bad way, it is most likely be needed to get
physical access to the machine to fix the issue.
The firewall role uses the variable firewall
to specify the parameters. This variable is a list
of dict
values. Each dict
value is comprised of one or more keys listed below. These are the variables that can be passed to the role:
Name of the zone that should be modified. If it is not set, the default zone
will be used. It will have an effect on these variables: service
, port
,
source_port
, forward_port
, masquerade
, rich_rule
, source
, interface
,
icmp_block
, icmp_block_inversion
, and target
.
You can also use this to add/remove user-created zones. Specify the zone
variable with no other variables, and use state: present
to add the zone, or
state: absent
to remove it.
zone: 'public'
Name of a service or service list to add or remove inbound access to. The
service needs to be defined in firewalld.
service: 'ftp'
service: [ 'ftp', 'tftp' ]
Port or port range or a list of them to add or remove inbound access to. It
needs to be in the format <port>[-<port>]/<protocol>
.
port: '443/tcp'
port: [ '443/tcp', '443/udp' ]
Port or port range or a list of them to add or remove source port access to. It
needs to be in the format <port>[-<port>]/<protocol>
.
source_port: '443/tcp'
source_port: [ '443/tcp', '443/udp' ]
Add or remove port forwarding for ports or port ranges for a zone. It takes two
different formats:
firewall-cmd
--add-forward-port
e.g. <port>[-<port>]/<protocol>;[<to-port>];[<to-addr>]
ansible.posix.firewalld
:forward_port:
port: <port>
proto: <protocol>
[toport: <to-port>]
[toaddr: <to-addr>]
examples
forward_port: '447/tcp;;1.2.3.4'
forward_port: [ '447/tcp;;1.2.3.4', '448/tcp;;1.2.3.5' ]
forward_port:
- port: 447
proto: tcp
toaddr: 1.2.3.4
- port: 448
proto: tcp
toaddr: 1.2.3.5
port_forward
is an alias for forward_port
. Its use is deprecated and will
be removed in an upcoming release.
Enable or disable masquerade on the given zone.
masquerade: false
String or list of rich rule strings. For the format see (Syntax for firewalld
rich language
rules)[https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html]
rich_rule: rule service name="ftp" audit limit value="1/m" accept
List of source address or address range strings. A source address or address
range is either an IP address or a network IP address with a mask for IPv4 or
IPv6. For IPv4, the mask can be a network mask or a plain number. For IPv6 the
mask is a plain number.
source: 192.0.2.0/24
String or list of interface name strings.
interface: eth2
String or list of ICMP type strings to block. The ICMP type names needs to be
defined in firewalld configuration.
icmp_block: echo-request
ICMP block inversion bool setting. It enables or disables inversion of ICMP
blocks for a zone in firewalld.
icmp_block_inversion: true
The firewalld zone target. If the state is set to absent
,this will reset the
target to default. Valid values are “default”, “ACCEPT”, “DROP”, “%%REJECT%%”.
target: ACCEPT
The amount of time in seconds a setting is in effect. The timeout is usable if
enabled
runtime
is settimeout: 60
state: enabled
service: https
Enable or disable the entry.
state: 'enabled' | 'disabled' | 'present' | 'absent'
NOTE: present
and absent
are only used for zone
and target
operations,
and cannot be used for any other operation.
NOTE: zone
- use state: present
to add a zone, and state: absent
to remove
a zone, when zone is the only variable e.g.
firewall:
- zone: my-new-zone
state: present
NOTE: target
- you can also use state: present
to add a target - state:
absent
will reset the target to the default.
Enable changes in runtime configuration. If runtime
parameter is not provided, the default will be set to True
.
runtime: true
Enable changes in permanent configuration. If permanent
parameter is not provided, the default will be set to True
.
permanent: true
The permanent and runtime settings are independent, so you can set only the runtime, or only the permanent. You cannot
set both permanent and runtime to false
.
By default, any changes will be applied immediately, and to the permanent settings. If you want the changes to apply immediately but not permanently, use permanent: no
. Conversely, use runtime: no
.
Permit TCP traffic for port 80 in default zone:
firewall:
- port: 80/tcp
state: enabled
Do not permit TCP traffic for port 80 in default zone:
firewall:
- port: 80/tcp
state: disabled
Add masquerading to dmz zone:
firewall:
- masquerade: yes
zone: dmz
state: enabled
Remove masquerading to dmz zone:
firewall:
- masquerade: no
zone: dmz
state: enabled
Allow interface eth2 in trusted zone:
firewall:
- interface: eth2
zone: trusted
state: enabled
Don’t allow interface eth2 in trusted zone:
firewall:
- interface: eth2
zone: trusted
state: disabled
Permit traffic in default zone for https service:
firewall:
- service: https
state: enabled
Do not permit traffic in default zone for https service:
firewall:
- service: https
state: disabled
With this playbook it is possible to make sure the ssh service is enabled in the firewall:
---
- name: Make sure ssh service is enabled
hosts: myhost
vars:
firewall:
- service: 'ssh'
state: 'enabled'
roles:
- fedora.linux_system_roles.firewall
With this playbook you can make sure that the tftp service is disabled in the firewall:
---
- name: Make sure tftp service is disabled
hosts: myhost
vars:
firewall:
- service: 'tftp'
state: 'disabled'
roles:
- fedora.linux_system_roles.firewall
It is also possible to combine several settings into blocks:
---
- name: Configure firewall
hosts: myhost
vars:
firewall:
- { service: [ 'tftp', 'ftp' ],
port: [ '443/tcp', '443/udp' ],
state: 'enabled' }
- { forward_port: [ 'eth2;447/tcp;;1.2.3.4',
'eth2;448/tcp;;1.2.3.5' ],
state: 'enabled' }
- { zone: "internal", service: 'tftp', state: 'enabled' }
- { service: 'tftp', state: 'enabled' }
- { port: '443/tcp', state: 'enabled' }
- { forward_port: 'eth0;445/tcp;;1.2.3.4', state: 'enabled' }
state: 'enabled' }
roles:
- fedora.linux_system_roles.firewall
The block with several services, ports, etc. will be applied at once. If there is something wrong in the block it will fail as a whole.
- name: Configure external zone in firewall
hosts: myhost
vars:
firewall:
- { zone: 'external',
service: [ 'tftp', 'ftp' ],
port: [ '443/tcp', '443/udp' ],
forward_port: [ '447/tcp;;1.2.3.4',
'448/tcp;;1.2.3.5' ],
state: 'enabled' }
roles:
- fedora.linux_system_roles.firewall
Thomas Woerner
GPLv2+