README.md

Ansible Role: sys_firewalld

An Ansible role to install and configure firewalld.

Motivation

Firewalld is the firewall manager for most RedHat Derivates like Fedora, CentOS or Oracle Linux. Installing and configuring firewalld is a very common task for most operators.

Description

This role installs and configures firewalld.

• install packages
• start services
• configure rules like ports, services and interfaces

Requirements

Used Modules:

• Ansible Package Module
• Ansible Service Module
• Ansible Firewalld Module

Installation

Install from Ansible Galaxy

ansible-galaxy install while_true_do.sys_firewalld

Install from Github

git clone https://github.com/while-true-do/ansible-role-sys_firewalld.git while_true_do.sys_firewalld

Usage

Role Variables

---
# defaults file for while_true_do.sys_firewalld

## Package Management
wtd_sys_firewalld_package:
  - firewalld
# State can be present|latest|absent
wtd_sys_firewalld_package_state: "present"

## Service Management
wtd_sys_firewalld_service: "firewalld"
# State can be started|stopped
wtd_sys_firewalld_service_state: "started"
wtd_sys_firewalld_service_enabled: true

wtd_sys_firewalld_conf: []
# DefaultZone: "public"
# MinimalMark: "100"
# CleanupOnExit: "yes"
# Lockdown: "no"
# IPv6_rpfilter: "yes"
# IndividualCalls: "no"
# LogDenied: "off"
# AutomaticHelpers: "system"

## Configuration Management
wtd_sys_firewalld_rules: []
# You can specify the rules as shown below.
# State and zone are defaulting and you don't need to define them.
# - State can be enabled|disabled
# - Zone is depending on the zones defined for your system
#
# - service: httpd
#   state: enabled  (defaults to enabled)
#   zone: public    (defaults to public)
#
# - port: 80/tcp
#   state: enabled  (defaults to enabled)
#   zone: public    (defaults to public)
#
# - source: 192.168.0.0/24
#   state: enabled  (defaults to enabled)
#   zone: public    (defaults to public)
#
# - interface: eth0
#   state: enabled  (defaults to enabled)
#   zone: public    (defaults to public)
#
# - masquerade: true
#   state: enabled  (defaults to enabled)
#   zone: public    (defaults to public)
#
# - rich_rule: rule service name="ftp" audit limit value="1/m" accept
#   state: enabled  (defaults to enabled)
#   zone: public    (defaults to public)

Example Playbook

Running Ansible Roles can be done in a playbook.

Simple

---
- hosts: all
  roles:
    - role: while_true_do.sys_firewalld

Configure a server for public web access

- hosts: all
  roles:
    - role: while_true_do.sys_firewalld
      wtd_sys_firewalld_rules:
        - service: http
        - service: https
        - service: ssh
          zone: internal

Known Issues

1. RedHat Testing is currently not possible in public, due to limitations in subscriptions.
2. Some services and features cannot be tested properly, due to limitations in docker.
3. Firewalld and ansible_firewalld are untested for Debian Based Systems

Testing

Most of the "generic" tests are located in the Test Library.

Ansible specific testing is done with Molecule.

Infrastructure testing is done with testinfra.

Automated testing is done with Travis CI.

Contribute

Thank you so much for considering to contribute. We are very happy, when somebody is joining the hard work. Please fell free to open Bugs, Feature Requests or Pull Requests after reading the Contribution Guideline.

See who has contributed already in the kudos.txt.

License

This work is licensed under a BSD-3-Clause License.

Contact

• Site https://while-true-do.io
• Twitter https://twitter.com/wtd_news
• Code https://github.com/while-true-do
• Mail [email protected]
• IRC freenode, #while-true-do
• Telegram https://t.me/while_true_do