Explaining the Ansible Firewalld

Introduction to Ansible Firewalld

In Ansible, we have numerous modules that give us the capacity to perform functional work on remote hosts. Particularly, activities that are to be done on Linux remote hosts. One such module is named firewall, which is utilized to oversee firewall rules of Linux frameworks. At this point, we will find out with regards to Ansible Firewalld.

As we realize that Linux frameworks can have a firewall daemon that is utilized to permit/block admittance to/from administrations, organizations, and ports by refreshing running or long-lasting firewall rules on the machine through firewall-cmd utility. The equivalent is overseen by Ansible utilizing the firewall module.

Explaining the Ansible Firewalld

In Ansible, we have numerous modules that give us the capacity to perform functional work on remote hosts. Particularly, activities that are to be done on Linux remote hosts. One such module is named firewall, which is utilized to oversee firewall rules of Linux frameworks. At this point, we will find out with regards to Ansible Firewalld.

As we realize that Linux frameworks can have a firewall daemon that is utilized to permit/block admittance to/from administrations, organizations, and ports by refreshing running or long-lasting firewall rules on the machine through firewall-cmd utility. The equivalent is overseen by Ansible utilizing the firewall module.

• According to the most recent Ansible firewalld module, the firewalld rendition on the hosts, where firewall rules will be altered, ought to have equivalent to or more noteworthy than 2.11.
• This module isn't tried in Debian based
• Requires python2 ties of firewalld. Where python2 ties are not accessible, python3 ties can be utilized yet we should set ansible_python_interpreter to python3 mediator way and introduce python3
• There is a known limit in Ansible firewalld because of which zone exchanges should unequivocally be extremely durable. This additionally implies that when we add a zone and need to perform quick activities on it, we really want to reload the firewalld administration. Yet, take care while doing that on the grounds that reloading firewalld will fix all non-extremely durable activities performed
• This module isn't ensured to have in reverse

Along with the above points, we should also know below terminologies which are heavily used in firewalld.

• Zone: Zone is a logical network location which can be arbitrary but can be defined in terms of the network from which traffic will originate, or a location to which your local network interface is connected.
• Services: Services are the series of ports and protocol combination which works as the socket, that our host is listening on, which then can be placed in one or more
• Ports: These are the logical constructs which are representing a service endpoint

How Does Ansible Firewalld Works?

Ansible Firewall has beneath accessible boundaries and their particular satisfactory qualities. Utilizing the blend of these we can satisfy our prerequisites in regards to altering firewall rules on remote hosts, But we ought to continuously consider arranging and all focuses examined in the past area prior to rolling out any improvements to target frameworks, likewise take the reinforcement of rules prior to transforming anything is additionally suggested.

Since dealing with rules in a specially appointed manner will wind up wrecked and we really want to go through hours and organization backing to distinguish the hazardous parts in our firewall rules.

• icmp_block: The icmp block we like to remove or add from or to a zone in firewall rules
• immediate: if the permanent parameter is used, should this be applied
• interface: The interface we like to remove or add to or from a zone in firewall rules
• permanent: Should the configuration be in permanent rule, which persists across reboots or in running configuration temporarily. When this is “no”, then by default immediate is “yes”.

Acceptable values are either “yes” or “no”.

1. port: Name or port or port range to remove or add to or from firewalld. When giving ranges, it must be in the form of PORT/PROTOCOL or PORT-PORT/PROTOCOL for port

2. rich_rule: rich rule to add or remove to or fro

3. service: The service which needs to be added or removed to or from firewalld. The service must be listed in the output of the “firewall-cmd –get-services” command on remote

4. source: The source network you would like to be removed or added to or from in firewalld rules.

5. state: Enable or disable a setting. Below are acceptable values from which present and absent

are used in case of zone level operation.

• absent
• present
• enabled
• disabled

6. timeout: The time for which rule should be in effect when set as non-permanent

7. zone: The firewall zone to be added or removed. The public is default zone from upstream but this can be configured. Some out of box defaults are block, DMZ, external, internal, trusted, work. This list can be extended based on a per system

Example of Ansible Firewalld

Presently by utilizing models, we will attempt to find out with regards to Ansible firewalld, which you may need to use in everyday activities. We will take a few models, yet prior to going there, we initially comprehend our lab, we utilized for testing reason.

Here we have an Ansible control server named ansible-regulator and one remote host named have remote. We will make playbooks and run Ansible orders on the ansible-regulator hub and see the outcomes on the remote host.

Additionally, on the remote host, beneath is the current status of firewalld.

firewall-cmd --state

firewall-cmd --get-services

firewall-cmd --get-zone

firewall-cmd --get-zones

firewall-cmd --list-all

iptable –S | tail

• In this example, we will set https service permanently enabled on the remote host.
• We will use a playbook with below content: –

---

- hosts: all tasks:

- name: here we enable http in firewall rules firewalld:

service: http state: enabled permanent: yes

When we execute it like below we get below output: –

ansible-playbook ansible_firewalld_enable_service.yaml

When checking in the remote host that which service is in the open list. We can see that under services we have now http listed.

firewall-cmd --list-all

• In this example, we will see how to enable a port in remote host, for this we have a playbook like below content: –

---

- hosts: all tasks:

- name: here we enable 443 port in firewall rules firewalld:

port: 443/tcp state: enabled

After executing it we get below output: –

ansible-playbook ansible_firewalld_disable_port.yaml

Now checking on the remote host, we will see this port is listed in the output of –list-all now like below, but it was not there previously: –

firewall-cmd --list-all

• In this example, we will enable an ip range for a zone, for this we have a playbook like below, Note here that as we are doing a zone related transaction so for this to work we need to make it permanent and also immediately reload firewalld on the remote host, like below: –

---

hosts: all tasks:

name: here we enable a network for a zone in firewall rules firewalld:

source: 10.10.10.10/24 zone: internal

state: enabled permanent: yes

name: we have to reload firewalld else zone transactions will not be realised command: firewall-cmd --reload

After executing this playbook we get the below output: –

ansible-playbook ansible_firewalld_enable_source_network.yaml

On the remote host, we can see that the mentioned network is listed on the concerned zone’s allowed list

firewall-cmd --zone=internal --list-all

Conclusion

As we have seen that Ansible firewalld is an extremely strong module which can be exceptionally valuable assuming you have upheld network and your remote hosts are legitimate in all ways. In any case, focuses to take note of that it's anything but a simple errand to have a track of all the firewall rule, particularly when we have long-lasting and non-super durable standards. With the goal that planning is required before-hand.