Bootstrap FreeKB - Ansible - Manage firewalld
Ansible - Manage firewalld

Updated:   |  Ansible articles

If you are not familiar with modules, check out Ansible - Getting Started with Modules.

The firewalld module is used to modify firewalld.

The firewalld module is part of the ansible.posix collection. You may need to install the ansible.posix collection to use the firewalld module.

The interface option is used to add or remove an interface, such as eth0, from a zone. Refer to Firewalld - Bind an interface to a zone for a better understand of interfaces and zones. 

  • When state is enabled, the interface will be added (bound)
  • When state is disabled, the interface will be removed (unbound)
- name: bind interface eth0 to the public zone
  firewalld:
    interface: eth0
    state: enabled
    permanent: yes
    immediate: yes
    zone: public

 

The service option is used to enable or disable connections to a protocols common port, such as when HTTP is using port 80. Refer to Firewalld - allow or deny a service for a better understanding of how firewalld is configured to allow or deny a connection to a service.

- name: allow HTTP connections
  firewalld:
    service: http
    state: enabled
    permanent: yes
    immediate: yes

 

The port option can be used to enable or disable connections to a port number. This is typically used when a protocol is not using the default port associated with the protocol, such as when HTTP is using 8080. Refer to Firewalld - allow or deny a port for a better understanding of how firewalld is configured to allow or deny a connection to a port.

- name: allow TCP connections to port 8080
  firewalld:
    port: 8080/tcp
    state: enabled
    permanent: yes
    immediate: yes

 

The source option can be used to only allow connections from certain IP addresses. In this example, only connections from IP addresses in the 192.168.0.0/24 subnet will be allowed. Refer to Firewalld - allow certain IP addresses (source) for a better understanding of how firewalld is configured to allow connections from certain IP addresses.

- name: only allow connections from subnet 192.168.0.0/24
  firewalld:
    source: 192.168.0.0/24
    state: enabled
    permanent: yes
    immediate: yes

 

The icmp_block_inversion option can be used to enable or disable ICMP block inversion. Refer to Firewalld - allow or deny ICMP for a better understanding of ICMP block inversion.

  • When state is enabled, ICMP block inversion will be turned on
  • When state is disabled, ICMP block inversion will be turned off
- name: disable ICMP block inversion
  firewalld:
    icmp_block_inversion: yes
    state: disabled
    permanent: yes
    immediate: yes

 

The icmp_block option can be used to add or remove an ICMP block. Refer to Firewalld - allow or deny ICMP for a better understanding of ICMP block inversion.

  • When state is enabled, the ICMP block will be added
  • When state is disabled, the ICMP block will be removed
- name: allow ICMP block echo-request
  firewalld:
    icmp_block: echo-request
    state: enabled
    permanent: yes
    immediate: yes

 

The masquerade option can be used to enable or disable IP address masquerade. Refer to Firewalld - IP address masquerade for a better understanding of IP address masquerading.

  • When state is enabled, IP address masquerade will be turned on
  • When state is disabled, IP address masquerade will be turned off
- name: enable IP address masquerade
  firewalld:
    masquerade: yes
    state: enabled
    permanent: yes
    immediate: yes

 

The rich_rule option can be used to create a rich rule, which is a special type of unique rule that is beyond the scope of this article. In this example, a rich rule is created to only allow one FTP connection per minute. Refer to Firewalld - rich rules for a better understanding of how firewalld is configured with rich rules.

- name: rich rule to only allow one FTP connection per minute
  firewalld:
    rich_rule: rule service name="ftp" audit limit value="1/m" accept
    state: enabled
    permanent: yes
    immediate: yes

 

The firewalld module does not have a way to reload firewalld. The systemd module can be used to restart the firewalld service.

- name: restart firewalld
  systemd:
    name: firewalld
    state: restarted
    daemon_reload: true

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 356bd6 in the box below so that we can be sure you are a human.