Skip to content

ptrunk/ansible-firewalld

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
defaults
defaults
 
 
handlers
handlers
 
 
tasks
tasks
 
 
templates
templates
 
 
README.md
README.md
 
 

Repository files navigation

Firewalld Ansible Role

Install and configure firewalld (https://www.firewalld.org/) on

  • Archlinux
  • Debian (Experimentell)
  • CentOS
  • Fedora
  • RHEL

See Examples how to use this role.

Requirements

  • Ansible 2.3

Configuration

Global firewalld.conf

Change settings in firewalld.conf

firewalld_conf: {}

Easy method

This will use the ansible firewalld module (https://docs.ansible.com/ansible/latest/firewalld_module.html).

firewalld:
  - immediate: true
    interface: ""
    masquerade: true
    permanent: false
    port: ""
    rich_rule: ""
    service: ""
    source: ""
    state: enabled
    zone: ""

Advanced method

Define custom ipsets, services and zones in /etc/firewalld.

ipset Definitions

firewalld_ipsets:
  - type: ""
    short: ""
    description: ""
    option:
      name: value
    entry: []

Use firewall-cmd --get-ipset-types to get a list of supported types.

Supported Options:

Name Value
family "int", "inet6"
timeout integer
hashsize integer
maxelem: integer

Service Definitions

firewalld_services:
  - name: ""
    short: ""
    description: ""
    port: []
    protocol: []
    source_port: []
    module: []
    destination: {}

Zone Definitions

Variable Examples
protocol "tcp", "udp", "sctp", "dccp"
target "ACCEPT", "%%REJECT%%", "DROP" 
firewalld_zones:
  - name: ""
    short: ""
    description: ""
    target: ""
    interface:
      - name: ""
    source:
      - address: ""
      - mac: ""
      - ipset: ""
    service:
      - name: ""
    port:
      - { port: "", protocol: "" }
    protocol:
      - value:
    icmp-block:
      - name:
    icmp-block-inversion: true
    masquerade: true
    forward-port:
      - { port: "", protocol: "" }
    source-port:
      - { port: "", protocol: "" }
    rule:
      - source:
          address: ""
          mac: ""
          ipset: ""
        destination:
          ""
        service:
          name: ""
        port:
          port: ""
          protocol: ""
        protocol:
          value: ""
        icmp-block:
          name: ""
        icmp-type:
          name: ""
        masquerade: true
        forward-port:
          port: ""
          protocol: ""
          to-port: ""
          to-addr: ""
        source-port:
          port: ""
          protocol: ""
        log:
          prefix: ""
          level: ""
          limit: ""
        audit:
          limit: ""
        accept:
          limit: ""
        reject:
          rejecttype: ""
          limit: ""
        drop:
          limit: ""
        mark:
          set:
          limit: ""

Examples

Add a new service

firewalld_services:
  - name: myservice
    short: "MYSERVICE"
    description: "My custom service"
    port:
      - port: 123
        protocol: tcp

Change a common zone

Redefine public zone and allow myservice and http(s)

firewalld_zones:
  - name: public
    short: "Public"
    description: "Public Zone"
    service:
      - name: "myservice"
      - name: http
      - name: https

Add a new zone

Add a new zone "mgt" and trust some sources

firewalld_zones:
  - name: mgt
    short: "MGT"
    description: "Trust my management hosts"
    target: "ACCEPT"
    source:
      - address: 1.2.3.4/32
      - address: 5.6.7.8/32

Allow a service temporary (until restart)

firewalld:
  - service: https
    state: enabled

Change default zone

firewalld_conf:
 DefaultZone: "myzone"

TODO

  • firewalld_helpers
  • lockdown-whitelist.xml

Author

Paul Trunk [email protected]

About

Firewalld Ansible Role

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published