If you are not familiar with modules, check out Ansible - Getting Started with Modules.
The firewalld module is used to modify firewalld.
The firewalld module is part of the ansible.posix collection. You may need to install the ansible.posix collection to use the firewalld module.
The interface option is used to add or remove an interface, such as eth0, from a zone. Refer to Firewalld - Bind an interface to a zone for a better understand of interfaces and zones.
- When state is enabled, the interface will be added (bound)
- When state is disabled, the interface will be removed (unbound)
- name: bind interface eth0 to the public zone
firewalld:
interface: eth0
state: enabled
permanent: yes
immediate: yes
zone: public
The service option is used to enable or disable connections to a protocols common port, such as when HTTP is using port 80. Refer to Firewalld - allow or deny a service for a better understanding of how firewalld is configured to allow or deny a connection to a service.
- name: allow HTTP connections
firewalld:
service: http
state: enabled
permanent: yes
immediate: yes
The port option can be used to enable or disable connections to a port number. This is typically used when a protocol is not using the default port associated with the protocol, such as when HTTP is using 8080. Refer to Firewalld - allow or deny a port for a better understanding of how firewalld is configured to allow or deny a connection to a port.
- name: allow TCP connections to port 8080
firewalld:
port: 8080/tcp
state: enabled
permanent: yes
immediate: yes
The source option can be used to only allow connections from certain IP addresses. In this example, only connections from IP addresses in the 192.168.0.0/24 subnet will be allowed. Refer to Firewalld - allow certain IP addresses (source) for a better understanding of how firewalld is configured to allow connections from certain IP addresses.
- name: only allow connections from subnet 192.168.0.0/24
firewalld:
source: 192.168.0.0/24
state: enabled
permanent: yes
immediate: yes
The icmp_block_inversion option can be used to enable or disable ICMP block inversion. Refer to Firewalld - allow or deny ICMP for a better understanding of ICMP block inversion.
- When state is enabled, ICMP block inversion will be turned on
- When state is disabled, ICMP block inversion will be turned off
- name: disable ICMP block inversion
firewalld:
icmp_block_inversion: yes
state: disabled
permanent: yes
immediate: yes
The icmp_block option can be used to add or remove an ICMP block. Refer to Firewalld - allow or deny ICMP for a better understanding of ICMP block inversion.
- When state is enabled, the ICMP block will be added
- When state is disabled, the ICMP block will be removed
- name: allow ICMP block echo-request
firewalld:
icmp_block: echo-request
state: enabled
permanent: yes
immediate: yes
The masquerade option can be used to enable or disable IP address masquerade. Refer to Firewalld - IP address masquerade for a better understanding of IP address masquerading.
- When state is enabled, IP address masquerade will be turned on
- When state is disabled, IP address masquerade will be turned off
- name: enable IP address masquerade
firewalld:
masquerade: yes
state: enabled
permanent: yes
immediate: yes
The rich_rule option can be used to create a rich rule, which is a special type of unique rule that is beyond the scope of this article. In this example, a rich rule is created to only allow one FTP connection per minute. Refer to Firewalld - rich rules for a better understanding of how firewalld is configured with rich rules.
- name: rich rule to only allow one FTP connection per minute
firewalld:
rich_rule: rule service name="ftp" audit limit value="1/m" accept
state: enabled
permanent: yes
immediate: yes
The firewalld module does not have a way to reload firewalld. The systemd module can be used to restart the firewalld service.
- name: restart firewalld
systemd:
name: firewalld
state: restarted
daemon_reload: true
Did you find this article helpful?
If so, consider buying me a coffee over at