Ansible

Ansible Firewalld

Ansible is a free and open-source automation tool that allows us to automate the various DevOps and sys administration tasks such as configuration management, software provisioning, application deployment, etc.

Firewalld, on the other hand, is a dynamic firewall manager for Linux operating systems that provides an easy way of managing the iptables, setting the zones, and handling the other firewall-related configurations.

In this tutorial, we will explore the workings of the Ansible Firewalld module that allows us to automate the Firewalld rules and operations.

Requirements:

To follow along with this post and the provided playbooks, ensure that you have the following:

  • Installed Ansible on the controlling machine
  • Installed Firewalld service on the target nodes
  • SSH access to the target nodes

Installing the Firewalld Module

In Ansible, the Firewalld module is part of the “ansible.posix” collection. Hence, you must ensure that you have it installed before using it in a playbook.

$ ansible-galaxy collection install ansible.posix

Ansible Firewalld Module Parameters

You need to know the following standard parameters when working with the firewalld module in Ansible. You can check the documentation for more:

service – It specifies the name of a service to add or remove. Specify the service’s name as it appears in firewalld, e.g., http, https, ftp, etc.

port – The port or port range that you want to add or remove. Similarly, specify the port and the corresponding protocol as 8080/tcp or 6000-6010/udp.

state – It sets the state of the specified rule. The supported values include:

  • enabled – adds the rule
  • disabled – removes the rule

zone – It is the firewall zone to add or remove the rule from. The default value is set to public.

permanent – If it is set to yes, the change is permanent across reboots. Otherwise, the change will only be in the runtime configuration.

immediate – If it is set to yes, the rule will be applied immediately rather than waiting until the next restart of the firewalld service.

source – It is the source network or IP address that you want to add to a zone.

interface – It specifies the name of an interface that you want to add to a zone. For example, eth0 or ens33.

icmp_block – It specifies an ICMP block that you wish to enable or disable in the firewall.

Let us cover some basic examples on how to work with this module in your systems.

Ensuring that Firewalld Is Installed

Before using the Ansible firewalld module, we can ensure that firewalld is installed using your target system’s package manager.

The following example playbook demonstrates how to use the Yum package manager to install firewalld:

---
- hosts: all
  tasks:
    - name: Install firewalld
      yum:
        name: firewalld
        state: present

Starting the Firewalld Service

Once firewalld is installed, you can ensure that the service is running as follows:

---
- hosts: all
  tasks:
    - name: Ensure firewalld is running
      service:
        name: firewalld
        state: started
        enabled: yes

Allowing a Specific Service

To allow a service (http for instance) through the firewall, we can use the service and state parameters as follows:

---
- hosts: all
  tasks:
    - name: Allow http service
      firewalld:
        service: http
        state: enabled
        permanent: yes
        immediate: yes

Denying a Specific Service

We can also deny a specific service by setting the state to disabled as follows:

---
- hosts: all
  tasks:
    - name: Deny ssh service
      firewalld:
        service: ssh
        state: disabled
        permanent: yes
        immediate: yes

This should deny the connection to the SSH server.

Allowing Specific Ports

We can also allow specific ports as demonstrated in the following example playbook:

---
- hosts: all
  tasks:
    - name: Allow port 8080/tcp
      firewalld:
        port: 8080/tcp
        state: enabled
        permanent: yes
        immediate: yes

Denying a Port

To deny a port, you can run the playbook as follows:

---
- hosts: all
  tasks:
    - name: Deny port 22/tcp
      firewalld:
        port: 22/tcp
        state: disabled
        permanent: yes
        immediate: yes

Setting the Default zone

We can set the default zone to any valid value as shown in the following example:

---
- hosts: all
  tasks:
    - name: Set default zone to public
      firewalld:
        zone: public
        state: enabled
        permanent: yes

This sets the default zone to public.

Adding a Source to a Zone

We can add an IP address or a network range to a specific zone as shown in the following example:

---
- hosts: all
  tasks:
    - name: Add 192.168.1.0/24 to the trusted zone
      firewalld:
        source: 192.168.1.0/24
        zone: trusted
        state: enabled
        permanent: yes

To remove a source from a zone, we can run the playbook as follows:

---
- hosts: all
  tasks:
    - name: Remove 192.168.1.0/24 from the trusted zone
      firewalld:
        source: 192.168.1.0/24
        zone: trusted
        state: disabled
        permanent: yes

Adding an Interface to a Zone

To attach a specific network interface to a given zone, we can run the playbook as follows:

---
- hosts: all
  tasks:
    - name: Add ens33 to the internal zone
      firewalld:
        zone: internal
        interface: ens33
        state: enabled
        permanent: yes

Conclusion

You learned about the various features and operations of the Ansible firewalld module. You also discovered the practical examples of using the firewalld module to automate and manage your firewall rules across different systems.

About the author

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list