{"id":5713,"date":"2024-02-27T13:22:00","date_gmt":"2024-02-27T19:22:00","guid":{"rendered":"https:\/\/www.incredigeek.com\/home\/?p=5713"},"modified":"2024-02-27T12:32:03","modified_gmt":"2024-02-27T18:32:03","slug":"configuring-firewalld-with-ansible","status":"publish","type":"post","link":"https:\/\/www.incredigeek.com\/home\/configuring-firewalld-with-ansible\/","title":{"rendered":"Configuring Firewalld with Ansible"},"content":{"rendered":"\n<p>We&#8217;ll be using Ansible to change and maintain our firewall settings on a server.<\/p>\n\n\n\n<p>The playbook will do the following.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Set the default zone to drop (Drops all external traffic to server)<\/li>\n\n\n\n<li>Set a zone for internal access <\/li>\n\n\n\n<li>Allow access from RFC1918 addresses to internal zone (Any local IP address will be able to access the server)<\/li>\n\n\n\n<li>Enable the services and ports specified in the vars section<\/li>\n\n\n\n<li>Disable the services listed in firewall_disable_services variable<\/li>\n<\/ol>\n\n\n\n<p>Modify the variables as needed for your server(s).  You can also add or move the variables to the inventory or host_vars files.<\/p>\n\n\n\n<p>If you need to create an inventory file, refer to the first part of this post<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-incredigeek wp-block-embed-incredigeek\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"48fXazIWx8\"><a href=\"https:\/\/www.incredigeek.com\/home\/ansible-playbook-for-updating-linux-debian-ubuntu\/\">Ansible Playbook for Updating Linux (Debian\/Ubuntu)<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Ansible Playbook for Updating Linux (Debian\/Ubuntu)&#8221; &#8212; Incredigeek\" src=\"https:\/\/www.incredigeek.com\/home\/ansible-playbook-for-updating-linux-debian-ubuntu\/embed\/#?secret=KK6fHmGt0H#?secret=48fXazIWx8\" data-secret=\"48fXazIWx8\" width=\"584\" height=\"329\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><strong>BE CAREFUL CHANGING FIREWALL SETTINGS!!!  IMPROPER SETTINGS COULD RENDER THE SERVER INACCESSIBLE!!!<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Playbook for firewalld<\/h2>\n\n\n\n<p>Change the variables under the vars section<\/p>\n\n\n\n<pre class=\"wp-block-code has-dark-gray-background-color has-background\"><code lang=\"yaml\" class=\"language-yaml line-numbers\">---\n- name: Configure firewalld\n  hosts: rhel\n  gather_facts: yes\n  become: yes\n\n  vars: \n    firewall_allowed_ips:\n      - 10.0.0.0\/8\n      - 172.16.0.0\/12\n      - 192.168.0.0\/16\n    firewall_allowed_services:\n      - ssh\n      - https\n      - snmp\n    firewall_allowed_ports:\n      - \"2222\/tcp\"\n    firewall_disable_services:\n      - cockpit\n      - dhcpv6-client\n      - mdns\n      - samba-client\n\n  tasks: \n  - name: Set default zone to drop\n    ansible.builtin.command: firewall-cmd --set-default-zone=drop\n    register: default_zone_set\n    changed_when:\n      - '\"ZONE_ALREADY_SET\" not in default_zone_set.stderr'\n\n  - name: Enable and allow access to internal zone from RFC1918 addresses\n    ansible.posix.firewalld:\n      source: \"{{ item }}\"\n      zone: internal\n      permanent: true\n      immediate: true\n      state: enabled\n    with_items: \"{{ firewall_allowed_ips }}\"\n\n  - name: Disable unused services for internal zone\n    ansible.posix.firewalld:\n      service: \"{{ item }}\"\n      zone: internal\n      permanent: true\n      immediate: true\n      state: disabled\n    with_items: \"{{ firewall_disable_services }}\"\n\n\n  - name: Set services for internal zone\n    ansible.posix.firewalld:\n      service: \"{{ item }}\"\n      zone: internal\n      permanent: true\n      immediate: true\n      state: enabled\n    with_items: \"{{ firewall_allowed_services }}\"\n\n  - name: Set custom ports for internal zone\n    ansible.posix.firewalld:\n      port: \"{{ item }}\"\n      zone: internal\n      permanent: true\n      immediate: true\n      state: enabled\n    with_items: \"{{ firewall_allowed_ports }}\"<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Helpful links<\/h2>\n\n\n\n<p><a href=\"https:\/\/docs.ansible.com\/ansible\/latest\/collections\/ansible\/posix\/firewalld_module.html#parameter-source\">https:\/\/docs.ansible.com\/ansible\/latest\/collections\/ansible\/posix\/firewalld_module.html#parameter-source<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/stackoverflow.com\/questions\/51563643\/how-to-change-firewalld-zone-using-ansible\">https:\/\/stackoverflow.com\/questions\/51563643\/how-to-change-firewalld-zone-using-ansible<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.middlewareinventory.com\/blog\/ansible-firewalld\/\">https:\/\/www.middlewareinventory.com\/blog\/ansible-firewalld\/<\/a><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ll be using Ansible to change and maintain our firewall settings on a server. The playbook will do the following. Modify the variables as needed for your server(s). You can also add or move the variables to the inventory or &hellip; <a href=\"https:\/\/www.incredigeek.com\/home\/configuring-firewalld-with-ansible\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1646,1647,1661,1],"tags":[1193,244,160,205,1200,538],"class_list":["post-5713","post","type-post","status-publish","format-standard","hentry","category-ansible","category-automation","category-playbooks","category-uncategorized","tag-ansible","tag-automation","tag-firewall","tag-firewalld","tag-playbook","tag-rhel"],"_links":{"self":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/comments?post=5713"}],"version-history":[{"count":9,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5713\/revisions"}],"predecessor-version":[{"id":5723,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5713\/revisions\/5723"}],"wp:attachment":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/media?parent=5713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/categories?post=5713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/tags?post=5713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}