Skip to content
master
Switch branches/tags
Code

Files

Permalink
Failed to load latest commit information.

firewall

CI Testing

This role configures the firewall on machines that are using firewalld.

For the configuration the role uses the firewalld client interface which is available in RHEL-7 and later.

Supported Distributions

  • RHEL-7+, CentOS-7+
  • Fedora

Limitations

Configuration over Network

The configuration of the firewall could limit access to the machine over the network. Therefore it is needed to make sure that the SSH port is still accessible for the ansible server.

The Error Case

WARNING: If the configuration failed or if the firewall configuration limits access to the machine in a bad way, it is most likely be needed to get physical access to the machine to fix the issue.

Variables

These are the variables that can be passed to the role:

zone

Name of the zone that should be modified. If it is not set, the default zone will be used. It will have an effect on these parameters: service, port and forward_port.

zone: 'public'

service

Name of a service or service list to add or remove inbound access to. The service needs to be defined in firewalld.

service: 'ftp'
service: [ 'ftp', 'tftp' ]

port

Port or port range or a list of them to add or remove inbound access to. It needs to be in the format <port>[-<port>]/<protocol>.

port: '443/tcp'
port: [ '443/tcp', '443/udp' ]

forward_port

Add or remove port forwarding for ports or port ranges for a zone. It needs to be in the format <port>[-<port>]/<protocol>;[<to-port>];[<to-addr>].

forward_port: '447/tcp;;1.2.3.4'
forward_port: [ '447/tcp;;1.2.3.4', '448/tcp;;1.2.3.5' ]

state

Enable or disable the entry.

state: 'enabled' | 'disabled'

Example Playbooks

With this playbook it is possible to make sure the ssh service is enabled in the firewall:

---
- name: Make sure ssh service is enabled
  hosts: myhost

  vars:
    firewall:
      service: 'ssh'
      state: 'enabled'
  roles:
    - linux-system-roles.firewall

With this playbook you can make sure that the tftp service is disabled in the firewall:

---
- name: Make sure tftp service is disabled
  hosts: myhost

  vars:
    firewall:
      service: 'tftp'
      state: 'disabled'
  roles:
    - linux-system-roles.firewall

It is also possible to combine several settings into blocks:

---
- name: Configure firewall
  hosts: myhost

  vars:
    firewall:
      - { service: [ 'tftp', 'ftp' ],
          port: [ '443/tcp', '443/udp' ],
-         state: 'enabled' }
-     - { forward_port: [ 'eth2;447/tcp;;1.2.3.4',
                          'eth2;448/tcp;;1.2.3.5' ],
          state: 'enabled' }
      - { zone: "internal", service: 'tftp', state: 'enabled' }
      - { service: 'tftp', state: 'enabled' }
      - { port: '443/tcp', state: 'enabled' }
      - { forward_port: 'eth0;445/tcp;;1.2.3.4', state: 'enabled' }
          state: 'enabled' }
  roles:
    - linux-system-roles.firewall

The block with several services, ports, etc. will be applied at once. If there is something wrong in the block it will fail as a whole.

- name: Configure external zone in firewall
  hosts: myhost

  vars:
    firewall:
      - { zone: 'external',
          service: [ 'tftp', 'ftp' ],
          port: [ '443/tcp', '443/udp' ],
          forward_port: [ '447/tcp;;1.2.3.4',
                          '448/tcp;;1.2.3.5' ],
          state: 'enabled' }
  roles:
    - linux-system-roles.firewall

Authors

Thomas Woerner

License

GPLv2+