/ansible-firewalld

This is Ansible role for firewalld install and setting for RedHat Enterprise Linux.

MIT LicenseMIT

ansible-firewalld

Build Status MIT License

This is Ansible role for firewalld install and setting for RedHat Enterprise Linux.

Requirements

None

Role Variables Sample

shhirose_firewalld:
  default_zone: public

  zones:
    - zone: test1
      state: enabled

  interfaces:
    - interface: eth901
      zone: public
      immediate: yes
      permanent: True
      state: enabled

  targets:
    - target: DROP
      zone: home

  masquerades:
    - masquerade: yes
      zone: public
      immediate: yes
      permanent: True

  services:
    - service: http
      zone: public
      immediate: yes
      permanent: True
      state: enabled

  ports:
    - port: "8080/tcp"
      zone: public
      immediate: yes
      permanent: True
      state: enabled

  rich_rules:
    - rule: "rule family="ipv4" source address="192.168.0.0/16" port protocol="tcp" port="22" accept"
      zone: public
      immediate: yes
      permanent: False
      state: enabled

  icmp_blocks:
    - type: echo-request
      zone: public
      immediate: yes
      permanent: False
      state: enabled

  sources:
    - source: "172.10.0.0/16"
      zone: public
      immediate: yes
      permanent: False
      state: enabled

  forward_ports:
    - proto: "tcp"
      port: "50022"
      toaddr: "192.168.10.10"
      toport: "22"
      zone: public
      immediate: yes
      permanent: False
      state: enabled

Variable parameters

zones

key required default type values notes
zone yes string zone name of target
state yes string enabled
or
disabled
Add new zone if enabled.

targets

key required default type values notes
target yes string default,
ACCEPT,
%%REJECT%%
or
DROP
zone no string zone name of target

masquerades

key required default type values notes
masquerade yes string yes
or
no
zone no string zone name of target
immediate no yes string yes
or
no
This configuration be applied immediately.
permanent no no boolean True
or
False
This configuration setting permanent.

interfaces

key required default type values notes
interface yes string interface name of target
zone no string zone name of target
immediate no yes string yes
or
no
This configuration be applied immediately.
permanent no no boolean True
or
False
This configuration setting permanent.
state yes string enabled
or
disabled
Add new zone if enabled.

services

key required default type values notes
service yes string service name of target
zone no string zone name of target
immediate no yes string yes
or
no
This configuration be applied immediately.
permanent no no boolean True
or
False
This configuration setting permanent.
state yes string enabled
or
disabled
Add new zone if enabled.

ports

key required default type values notes
port yes string port of target
zone no string zone name of target
immediate no yes string yes
or
no
This configuration be applied immediately.
permanent no no boolean True
or
False
This configuration setting permanent.
state yes string enabled
or
disabled
Add new zone if enabled.

sources

key required default type values notes
source yes string The target restricted connection source.
zone no string zone name of target
immediate no yes string yes
or
no
This configuration be applied immediately.
permanent no no boolean True
or
False
This configuration setting permanent.
state yes string enabled
or
disabled
Add new zone if enabled.

rich-rules

key required default type values notes
rule yes string rich-rule value
zone no string zone name of target
immediate no yes string yes
or
no
This configuration be applied immediately.
permanent no no boolean True
or
False
This configuration setting permanent.
state yes string enabled
or
disabled
Add new zone if enabled.

icmp-blocks

key required default type values notes
type yes string icmp block type
zone no string zone name of target
immediate no yes string yes
or
no
This configuration be applied immediately.
permanent no no boolean True
or
False
This configuration setting permanent.
state yes string enabled
or
disabled
Add new zone if enabled.

forward ports

key required default type values notes
proto yes string connection source protocol
port yes string source port
toport no string destination port
toaddr no string destination address
zone no string zone name of target
immediate no yes string yes
or
no
This configuration be applied immediately.
permanent no no boolean True
or
False
This configuration setting permanent.
state yes string enabled
or
disabled
Add new zone if enabled.

Dependencies

None

Example Playbook

- hosts: servers
  roles:
     - { role: shhirose.firewalld }
  vars:
    shhirose_firewalld:
      services:
        - service: http
          zone: public
          immediate: yes
          permanent: True
          state: enabled
        - service: https
          zone: public
          immediate: yes
          permanent: True
          state: enabled
      ports:
        - port: 8080/tcp
          zone: public
          immediate: yes
          permanent: True
          state: enabled

License

MIT