Allows you to configure firewalld.
Config options:
- default zone
- interface of a zone
- source of a zone
- service rules (with purging of undefined rules, if wanted)
- port rules
- rich rules
Tested on RHEL 7, CentOS 7 and Fedora 29 only.
Ansible 2.0 or above
It is not necessary to use all these variable blocks, you can use only the config options you really need.
The following variable is used to define the default zone of firewalld:
firewalld_default_zone: (optional, default: public)
The following variables are used to define the interface of a zone (multiple interfaces per zone possible, one interface per line):
firewalld_zone_interface:
public: (required, e.g. eth0)
The following variables are used to define/undefine a zone:
firewalld_zones:
myzone:
state: (optional, only values: present|absent, default: present)
The following variables are used to define the source of a zone:
firewalld_zone_source:
public:
source: (required, e.g. "192.168.1.0/24")
state: (optional, only values: enabled|disabled, default: enabled)
permanent: (optional, only values: true|false, default: true)
immediate: (optional, only values: true|false, default: true)
The following variables are used to define a service rule:
firewalld_service_rules:
service:
state: (optional, only values: enabled|disabled, default: enabled)
zone: (optional, default: public)
permanent: (optional, only values: true|false, default: true)
immediate: (optional, only values: true|false, default: true)
The following variables are used to purge undefined active service rules:
firewalld_purge_services: (optional, only values: true|false, default: false)
The following variables are used to define a port rule:
firewalld_port_rules:
name:
port: (required, port or port range)
protocol: (optional, only values: tcp|udp, default: tcp)
state: (optional, only values: enabled|disabled, default: enabled)
zone: (optional, default: public)
permanent: (optional, only values: true|false, default: true)
immediate: (optional, only values: true|false, default: true)
The following variables are used to define a rich rule:
firewalld_rich_rules:
name:
rule: (required, a complete rule in firewalld rich language)
state: (optional, only values: enabled|disabled, default: enabled)
zone: (optional, default: public)
permanent: (optional, only values: true|false, default: true)
immediate: (optional, only values: true|false, default: true)
These are the handlers that are defined in this role:
- restart firewalld
- hosts: server
become: yes
become_user: root
become_method: su
roles:
- ansible-firewalld-role
vars:
firewalld_default_zone: public
firewalld_zone_interface:
public: eth0
internal: eth1
internal: eth2
firewalld_zone_source:
trusted:
source: "192.168.1.0/24"
state: enabled
permanent: true
immediate: true
firewalld_service_rules:
ssh:
state: enabled
zone: public
permanent: true
immediate: true
firewalld_port_rules:
smtp:
port: 25
protocol: tcp
state: enabled
zone: public
permanent: true
immediate: true
firewalld_rich_rules:
ftp_audit:
rule: 'rule service name="ftp" audit limit value="1/m" accept'
state: enabled
zone: public
permanent: true
immediate: true
firewalld_purge_services: true
MIT