Ansible is a free and open-source automation tool that allows us to automate the various DevOps and sys administration tasks such as configuration management, software provisioning, application deployment, etc.
Firewalld, on the other hand, is a dynamic firewall manager for Linux operating systems that provides an easy way of managing the iptables, setting the zones, and handling the other firewall-related configurations.
In this tutorial, we will explore the workings of the Ansible Firewalld module that allows us to automate the Firewalld rules and operations.
To follow along with this post and the provided playbooks, ensure that you have the following:
- Installed Ansible on the controlling machine
- Installed Firewalld service on the target nodes
- SSH access to the target nodes
Installing the Firewalld Module
In Ansible, the Firewalld module is part of the “ansible.posix” collection. Hence, you must ensure that you have it installed before using it in a playbook.
Ansible Firewalld Module Parameters
You need to know the following standard parameters when working with the firewalld module in Ansible. You can check the documentation for more:
service – It specifies the name of a service to add or remove. Specify the service’s name as it appears in firewalld, e.g., http, https, ftp, etc.
port – The port or port range that you want to add or remove. Similarly, specify the port and the corresponding protocol as 8080/tcp or 6000-6010/udp.
state – It sets the state of the specified rule. The supported values include:
- enabled – adds the rule
- disabled – removes the rule
zone – It is the firewall zone to add or remove the rule from. The default value is set to public.
permanent – If it is set to yes, the change is permanent across reboots. Otherwise, the change will only be in the runtime configuration.
immediate – If it is set to yes, the rule will be applied immediately rather than waiting until the next restart of the firewalld service.
source – It is the source network or IP address that you want to add to a zone.
interface – It specifies the name of an interface that you want to add to a zone. For example, eth0 or ens33.
icmp_block – It specifies an ICMP block that you wish to enable or disable in the firewall.
Let us cover some basic examples on how to work with this module in your systems.
Ensuring that Firewalld Is Installed
Before using the Ansible firewalld module, we can ensure that firewalld is installed using your target system’s package manager.
The following example playbook demonstrates how to use the Yum package manager to install firewalld:
Starting the Firewalld Service
Once firewalld is installed, you can ensure that the service is running as follows:
Allowing a Specific Service
To allow a service (http for instance) through the firewall, we can use the service and state parameters as follows:
Denying a Specific Service
We can also deny a specific service by setting the state to disabled as follows:
This should deny the connection to the SSH server.
Allowing Specific Ports
We can also allow specific ports as demonstrated in the following example playbook:
Denying a Port
To deny a port, you can run the playbook as follows:
Setting the Default zone
We can set the default zone to any valid value as shown in the following example:
This sets the default zone to public.
Adding a Source to a Zone
We can add an IP address or a network range to a specific zone as shown in the following example:
To remove a source from a zone, we can run the playbook as follows:
Adding an Interface to a Zone
To attach a specific network interface to a given zone, we can run the playbook as follows:
You learned about the various features and operations of the Ansible firewalld module. You also discovered the practical examples of using the firewalld module to automate and manage your firewall rules across different systems.