Let us take a closer look at how to manage firewalld with Ansible in a few simple steps with the support of our Server management support services at Bobcares.

Introduction to Ansible Firewalld

We have several modules in Ansible that allow us to execute operational work on remote systems. Specifically, operations that have necessary performance space on Linux remote hosts. One such module is firewalld, which can handle Linux system firewall rules.

Linux systems can have a firewalled daemon that allows or blocks access to/from services, networks, and ports. This is by modifying running or permanent firewall rules on the machine using the firewall-cmd application. Ansible manages this using the firewalld module.

Explaining the Ansible Firewalld

The module Ansible firewalld can update firewall rules on distant hosts. The Linux machines are the remote hosts in this case. Ports can be either TCP or UDP, and we can activate or disable them. Similarly, we can permit and prohibit the services.

While working with the Ansible firewalld module or managing firewalld with Ansible, keep the following points in mind: –

• The current Ansible firewalld module requires the firewalld version on the hosts. This where firewall rules in updation be equal to or greater than 2.11.
• No texts on the module in Debian-based systems. Firewalld python2 bindings are necessary. Where python2 bindings are not available, we can use the python3 bindings. However, the ansible python interpreter must be the python3 interpreter path. For this, we have to install python3.
• Ansible firewalld has a known restriction that requires zone transactions to be explicitly persistent. This also implies that when we add a zone and wish to take quick action on it.  We must restart the firewalld service. However, be cautious because reloading firewalld will undo all non-permanent actions.
• This module does not guarantee to provide backward compatibility.

Along with the points given above, we should be familiar with the following terms that are frequent in firewalld.

• Zone: A zone is a logical network location. It is arbitrary in nature but is typically given or shown in terms of the network. The network from which traffic will originate. Or it can be a place to which the connection to a local network interface is set.
• Services: Services are a collection of ports and protocol combinations. They act as the socket on which our host is listening. Which we can then place in one or more.
• Ports are the logical constructions that represent a service endpoint t.

How Does Ansible Firewalld Work?

The parameters available in Ansible Firewall are given below, along with their permit values. Using this combination, we can meet our requirements for modifying firewall rules on remote hosts.

Tasking a backup of the rules before changing anything is a better option. Treating rules haphazardly will result in a jumble. This is why we need to spend hours and network assistance to find the problematic areas of our firewall rules.

• icmp block: The icmp block that we want to remove or add to a zone in firewall rules.
• immediate: if the permanent parameter is used, should this be applied.
• interface: The interface that we want to add or remove from a zone in firewall rules.
• permanent: Should the configuration be a permanent rule that survives between reboots or a running configuration that is only active temporarily? If this is “no,” the default instant is “yes.”

Acceptable values are either “yes” or “no”.

Terms

1. port: The name or port or port range to add or remove from firewalld. Ranges in the form of PORT/PROTOCOL or PORT-PORT/PROTOCOL for port.
2. rich rule: a rich rule to add to or remove from
3. service: The service that should be added or removed from firewalld. The service listing is essential in the output of the remote command “firewall-cmd -get-services.”
4. source: The source network from which we want to remove or add firewalld rules.
5. state: Turn on or off a setting. The values are given below, with present and absent usage in the event of zone-level operation; absent, present, enabled, disabled.
6. timeout: The amount of time that a non-permanent rule should be in force.
7. Zone: The firewall zone that will be added or removed. The public zone is the upstream default, although it can be changed. Block, DMZ, external, internal, trustworthy, and work are some of the settings.

Ansible FirewallD Examples

Here are some Ansible FirewallD module examples for managing services and ports. Determine whether the HTTP/HTTPS service is open or closed.

We may use the Nmap command to see the status or state of the port (block or open). If the state is closed, it is blocked by firewalld. Let us now enable HTTP and HTTPS services, which will open ports 80 and 443.

Enabling HTTP and HTTPS Service

Here is an example of an Ansible playbook that uses the firewallD module. Go to through it to learn more on Manage firewalld with Ansible. This will allow the HTTP and HTTPS service, which opens up ports 80 and 443.

This playbook can run on the localhost but can modify to run remotely. We can do this by deleting the connection: local and modifying the host’s argument.

---
- name: FirewallD
hosts: localhost
connection: local
tasks:
- name: FirewallD rules
firewalld:
permanent: yes
immediate: yes
service: "{{ item }}"
state: enabled
with_items:
- http
- https

We’re using items in this playbook to loop through items and enable multiple services in a single operation. The yes flag ensures the immediate implementation of the firewall rules.

Execution Output

[root@MWINODE01 vagrant]# ansible-playbook firewalld.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
PLAY [FirewallD] ***************************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [FirewallD rules] *********************************************************
changed: [localhost] => (item=http)
changed: [localhost] => (item=https)
PLAY RECAP *********************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Let us check if the HTTP/HTTPS services are available. We can now repeat nmap and curl to see if the HTTP/HTTPS services are open and enabled.

Enabling & Disabling Multiple Ports on different Zones

Here is a generic playbook that can assist us in enabling and disabling multiple ports on different zones. This playbook can manage all host firewall rules at once to Manage firewalld with Ansible.

---
- name: FirewallD
hosts: localhost
connection: local
tasks:
- name: FirewallD rules
firewalld:
permanent: yes
immediate: yes
port: "{{item.port}}/{{item.proto}}"
state: "{{item.state}}"
zone: "{{item.zone}}"
with_items:
- {port: "8080", proto: "tcp", state: "disabled", zone: "public" }
- {port: "161-162", proto: "udp", state: "disabled", zone: "internal" }
- {port: "9001", proto: "tcp", state: "enabled", zone: "public" }

Playbook result will be as follows:

Using Rich Rule with Ansible FirewallD

Rich rules can be used in conjunction with the Ansible FirewallD module. Here is an example:

The Playbook with the Rich rule accepting ftp and dropping http for one minute, as well as an audit log.

---
- name: FirewallD
hosts: localhost
connection: local
tasks:
- name: FirewallD rules
firewalld:
permanent: yes
immediate: yes
rich_rule: "{{ item }}"
state: enabled
with_items:
- 'rule service name="ftp" audit limit value="1/m" accept'
- 'rule service name="http" audit limit value="1/m" drop'

Execution Result

[root@MWINODE01 vagrant]# ansible-playbook firewalld.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match
'all'
PLAY [FirewallD] *****************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************
ok: [localhost]
TASK [FirewallD rules] ***********************************************************************************************
changed: [localhost] => (item=rule service name="ftp" audit limit value="1/m" accept)
changed: [localhost] => (item=rule service name="http" audit limit value="1/m" drop)
PLAY RECAP ***********************************************************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Creating Port Redirection using Ansible Firewall Rich Rule

Here’s an ansible-playbook example of how to use the Ansible FirewallD module to configure port forwarding or port redirection. Here, we will configure port forwarding from port 8080 to port 80 and use Nginx to serve the static website. Make sure to go through the example to get a clear idea of how to Manage firewalld with Ansible.

---
- name: FirewallD
hosts: localhost
connection: local
tasks:
- name: FirewallD rules
firewalld:
permanent: yes
immediate: yes
rich_rule: "{{ item }}"
state: enabled
with_items:
- 'rule forward-port port=8080 protocol=tcp to-port=80 family=ipv4'

Here, the execution result will be as shown below:

Let us quickly test the port forwarding by connecting to the website on ports 8080 and 80. image 3 here

[Need assistance with similar queries? We are here to help]

Conclusion

To sum up we have now learned to Manage firewalld with our Server Management Support Services. The Ansible FirewallD module can help you handle firewall rules more efficiently and idempotently. The Ansible FirewallD module improves the execution and management of complex rules.