Technology Security Analyst
In Ansible, we have numerous modules that give us the capacity to perform functional work on remote hosts. Particularly, activities that are to be done on Linux remote hosts. One such module is named firewall, which is utilized to oversee firewall rules of Linux frameworks. At this point, we will find out with regards to Ansible Firewalld.
As we realize that Linux frameworks can have a firewall daemon that is utilized to permit/block admittance to/from administrations, organizations, and ports by refreshing running or long-lasting firewall rules on the machine through firewall-cmd utility. The equivalent is overseen by Ansible utilizing the firewall module.
In Ansible, we have numerous modules that give us the capacity to perform functional work on remote hosts. Particularly, activities that are to be done on Linux remote hosts. One such module is named firewall, which is utilized to oversee firewall rules of Linux frameworks. At this point, we will find out with regards to Ansible Firewalld.
As we realize that Linux frameworks can have a firewall daemon that is utilized to permit/block admittance to/from administrations, organizations, and ports by refreshing running or long-lasting firewall rules on the machine through firewall-cmd utility. The equivalent is overseen by Ansible utilizing the firewall module.
Along with the above points, we should also know below terminologies which are heavily used in firewalld.
Ansible Firewall has beneath accessible boundaries and their particular satisfactory qualities. Utilizing the blend of these we can satisfy our prerequisites in regards to altering firewall rules on remote hosts, But we ought to continuously consider arranging and all focuses examined in the past area prior to rolling out any improvements to target frameworks, likewise take the reinforcement of rules prior to transforming anything is additionally suggested.
Since dealing with rules in a specially appointed manner will wind up wrecked and we really want to go through hours and organization backing to distinguish the hazardous parts in our firewall rules.
Acceptable values are either “yes” or “no”.
1. port: Name or port or port range to remove or add to or from firewalld. When giving ranges, it must be in the form of PORT/PROTOCOL or PORT-PORT/PROTOCOL for port
2. rich_rule: rich rule to add or remove to or fro
3. service: The service which needs to be added or removed to or from firewalld. The service must be listed in the output of the “firewall-cmd –get-services” command on remote
4. source: The source network you would like to be removed or added to or from in firewalld rules.
5. state: Enable or disable a setting. Below are acceptable values from which present and absent
are used in case of zone level operation.
6. timeout: The time for which rule should be in effect when set as non-permanent
7. zone: The firewall zone to be added or removed. The public is default zone from upstream but this can be configured. Some out of box defaults are block, DMZ, external, internal, trusted, work. This list can be extended based on a per system
Presently by utilizing models, we will attempt to find out with regards to Ansible firewalld, which you may need to use in everyday activities. We will take a few models, yet prior to going there, we initially comprehend our lab, we utilized for testing reason.
Here we have an Ansible control server named ansible-regulator and one remote host named have remote. We will make playbooks and run Ansible orders on the ansible-regulator hub and see the outcomes on the remote host.
Additionally, on the remote host, beneath is the current status of firewalld.
firewall-cmd --state
firewall-cmd --get-services
firewall-cmd --get-zone
firewall-cmd --get-zones
firewall-cmd --list-all
iptable –S | tail
---
- hosts: all tasks:
- name: here we enable http in firewall rules firewalld:
service: http state: enabled permanent: yes
When we execute it like below we get below output: –
ansible-playbook ansible_firewalld_enable_service.yaml
When checking in the remote host that which service is in the open list. We can see that under services we have now http listed.
firewall-cmd --list-all
---
- hosts: all tasks:
- name: here we enable 443 port in firewall rules firewalld:
port: 443/tcp state: enabled
After executing it we get below output: –
ansible-playbook ansible_firewalld_disable_port.yaml
Now checking on the remote host, we will see this port is listed in the output of –list-all now like below, but it was not there previously: –
firewall-cmd --list-all
---
hosts: all tasks:
name: here we enable a network for a zone in firewall rules firewalld:
source: 10.10.10.10/24 zone: internal
state: enabled permanent: yes
name: we have to reload firewalld else zone transactions will not be realised command: firewall-cmd --reload
After executing this playbook we get the below output: –
ansible-playbook ansible_firewalld_enable_source_network.yaml
On the remote host, we can see that the mentioned network is listed on the concerned zone’s allowed list
firewall-cmd --zone=internal --list-all
As we have seen that Ansible firewalld is an extremely strong module which can be exceptionally valuable assuming you have upheld network and your remote hosts are legitimate in all ways. In any case, focuses to take note of that it's anything but a simple errand to have a track of all the firewall rule, particularly when we have long-lasting and non-super durable standards. With the goal that planning is required before-hand.