Ansible - central firewall management

Get Help
,
1

Hello,

in our company we want to allow central firewall management all of the ansible code is in git. So the idea is to add a role where we define per host or hostgroup what rules that are applicable.

When the role is added / executed on the host it should check if any rules are appicable.
We are using awx to to the scheduled checking.

Is there any exisiting module that does such a thing.

Tried to fiddle around with it but cant get it to work for multiple hosts bellow my attempt

handlers\main.yml

---
- name: Reload Firewall
  ansible.builtin.service:
    name: firewalld
    state: reloaded

tasks\main.yml

---
- name: Create Firewall rules XML files for each server
  ansible.builtin.template:
    src: "templates/firewall_rules.xml.j2"
    dest: "/etc/firewalld/services/{{ item.key }}.xml"
    mode: "0600"
  loop: "{{ firewall_ports | dict2items }}"
  when: item.key == inventory_hostname
  notify: Reload Firewall

- name: Ensure firewall rules are loaded and applied
  ansible.posix.firewalld:
    service: "{{ item.key }}"
    state: enabled
    permanent: true
    immediate: true
  loop: "{{ firewall_ports | dict2items }}"
  when: item.key == inventory_hostname
  notify: Reload Firewall

templates\firewall_rules.xml.j2

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>{{ item.key }} Rules</short>
  <description>Firewall rules for {{ item.key }}</description>
  {% for port in item.value %}
  <port protocol="{{ port.split('/')[1] }}" port="{{ port.split('/')[0] }}"/>
  {% endfor %}
</service>

vars\main.yml

---
# vars file for firewall-management
firewall_ports:
  alain-test:
    - 443/tcp
    - 25/tcp
  NETBOX-01:
    - 80/tcp
    - 443/tcp
    - 25/tcp
2

this is the error returnd when running on multiple hosts

failed: [NETBOX-01] (item={'key': 'NETBOX-01', 'value': ['80/tcp', '443/tcp', '25/tcp']}) => {"ansible_loop_var": "item", "changed": false, "item": {"key": "NETBOX-01", "value": ["80/tcp", "443/tcp", "25/tcp"]}, "msg": "ERROR: Exception caught: org.fedoraproject.FirewallD1.Exception: INVALID_SERVICE: NETBOX-01 Permanent and Non-Permanent(immediate) operation, Services are defined by port/tcp relationship and named as they are in /etc/services (on most systems)"}
3

firewalld requires the service argument to be a valid one:


- service
        Name of a service to add/remove to/from firewalld.
        The service must be listed in output of firewall-cmd --get-
        services.
        default: null
        type: str

From your error, it looks like your are passing the NETBOX-01 key as that parameter.

If you plan on passing the ports, you should check your task to use ports: instead of service:. And you would need to fix the item.key in any case to pass the correct argument, as you are sending the ports label var and not the actual port or name of the services (those would be https, http, smtp for ex.)

Ps. came across this old post while searching for something else and thought I could contribute something before closing it

1 Like