Ansible FirewallD Example - Managing Firewall Rules

Managing firewall rules are a tedious task but indispensable for a secure infrastructure.  While all the cloud providers are having their own ACL and firewall rule offerings to protect your cloud resources.

Some of us are still using the firewall-d for instance/server-level security.

While firewall-cmd is really efficient to manage the firewall rules. Ansible can do the same thing a little better and clean.

In this article, we are going to see. How to manage your CentOS or Linux firewall firewall-d rules with Ansible firewallD module

 

Ansible FirewallD

 

Ansible FirewallD Examples

Here we list few examples of the Ansible FirewallD module to manage the services and ports.

Validate if the HTTP/HTTPS service is Open or blocked

You can use a command  nmap to see if the port is blocked or open, If you see the state as closed which means it is blocked by firewalld

Now let us enable HTTP and HTTPS services that would open the port 80 and 443

 

Enabling HTTP and HTTPS Service

Here is the Ansible playbook with firewallD module to enable HTTP and HTTPS service that inturns open up port 80 and 443

 This playbook is designed to run on the localhost and can be chagned to run remote by removing the connection: local and updating hosts parameter

---
 - name: FirewallD
   hosts: localhost
   connection: local
   tasks:
    - name: FirewallD rules
      firewalld:
        permanent: yes
        immediate: yes
        service: "{{ item }}"
        state: enabled
      with_items:
       - http
       - https

In this playbook, we are using with_items for loop processing and enabling multiple services in a single task.

immediate: yes  flag would make sure that the firewall rules are implemented immediately.

Execution Output

[root@MWINODE01 vagrant]# ansible-playbook firewalld.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

PLAY [FirewallD] ***************************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [FirewallD rules] *********************************************************
changed: [localhost] => (item=http)
changed: [localhost] => (item=https)

PLAY RECAP *********************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Let us Validate if the HTTP/HTTPS services are Open

Now you can rerun the nmap and curl command to validate if the HTTP/HTTPS services are open and enabled.

Ansible FirewallD

 

Enabling & Disabling Multiple Ports on different Zones

Here is the Generic playbook which can help you enable and disable, various different ports on different zones.

This simple playbook can be used for managing entire host firewall rules at once.

---
 - name: FirewallD
   hosts: localhost
   connection: local
   tasks:
    - name: FirewallD rules
      firewalld:
        permanent: yes
        immediate: yes
        port: "{{item.port}}/{{item.proto}}"
        state: "{{item.state}}"
        zone: "{{item.zone}}"
      with_items:
       - {port: "8080", proto: "tcp", state: "disabled", zone: "public" }
       - {port: "161-162", proto: "udp", state: "disabled", zone: "internal" }
       - {port: "9001", proto: "tcp", state: "enabled", zone: "public" }

Playbook result

Ansible FirewallD

 

Using Rich Rule with Ansible FirewallD

You can use Rich rules with the Ansible FirewallD module.

Here is the Example playbook with the Rich rule to accept ftp and drop http for one minute along with the audit log

---
 - name: FirewallD
   hosts: localhost
   connection: local
   tasks:
    - name: FirewallD rules
      firewalld:
        permanent: yes
        immediate: yes
        rich_rule: "{{ item }}"
        state: enabled
      with_items:
       - 'rule service name="ftp" audit limit value="1/m" accept'
       - 'rule service name="http" audit limit value="1/m" drop'

Execution Result

[root@MWINODE01 vagrant]# ansible-playbook firewalld.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match
'all'

PLAY [FirewallD] *****************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************
ok: [localhost]

TASK [FirewallD rules] ***********************************************************************************************
changed: [localhost] => (item=rule service name="ftp" audit limit value="1/m" accept)
changed: [localhost] => (item=rule service name="http" audit limit value="1/m" drop)

PLAY RECAP ***********************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

 

Creating Port Redirection using Ansible Firewall Rich Rule

Here is the ansible-playbook example to setup  Port Forwarding or Port redirection with Ansible FirewallD module

In this task, we are going to set up a port forwarding from port 8080 to port 80 and serve the static page from Nginx

---
 - name: FirewallD
   hosts: localhost
   connection: local
   tasks:
    - name: FirewallD rules
      firewalld:
        permanent: yes
        immediate: yes
        rich_rule: "{{ item }}"
        state: enabled
      with_items:
       - 'rule forward-port port=8080 protocol=tcp to-port=80 family=ipv4'

 

Here is the execution result

Ansible FirewallD

Let us quickly validate the port forwarding by accessing the website on port 8080 and 80

Conclusion

Ansible FirewallD module can help you efficiently manage your firewall rules with more control and idempotent.

Rich rules are better executed and managed with Ansible FirewallD module.  The only key feature I find it missing was listing and reading the already available rules.

For which we have to still rely on the firewall-cmd command line.

Hope this article helps and if you have any better examples. please let us know on the comments section

Cheers
Sarav AK

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

Loading