There's already a module for firewalld.
Some folks, like the Fedora setup playbooks, use lokkit in their plays.
I'm talking about production systems not Fedora.
You'd maybe be surprised but Fedora is used in production in some cases.
It's used in some chip design clusters, super computing, and other places.
For complex installs, I still highly recommend writing a template for
your iptables file (etc) and basing that on the group membership of your
hosts, which is easy to do and appropriate.
Drilling holes in your firewall doesn't really account for the "chained"
nature of firewall rules and is a bit basic, and not always appropriate,
nor does it model all they can do.
I don't know what kind of template you are referring to. iptables does not
have a conf file. It has its own persistence format but that is not the
same thing.
Incorrect.
What you produce with /sbin/iptables save can be in fact templated, and
will be used when the service is restarted.
It is in fact configuration.
Further, making the explicit choice about what you are letting through is
important -- rather than letting some roles you downloaded from the
internet decide.
I didn't reference "some roles you download from the Internet" I
referenced Ansible Galaxy. A proper role will provide sensible defaults
(like UDP 67,68 for DHCP) and allow the ports to be configured through
local variables. That is how all good roles should work.
Ansible galaxy is a public site where anyone with a role on github can add
it to the system, so it's basically the internet. Content there is not
blessed or official in any way.
The role can't really declare the ports it needs so easily either -- as
those might be parameterized. And in many cases iptables configuration
is more complicated than generically opening up a port on all interfaces.
This is where basic management of a firewall starts to break down.
There are many that would be scared if roles in Galaxy started poking holes
in my firewall, which is why we don't do it by default.
Plus, the aforementioned groups that want to maintain their own firewall
configurations, which we suggest, and you can see an example of here:
https://github.com/ansible/ansible-examples/blob/master/lamp_haproxy/roles/common/templates/iptables.j2
Yes, it takes an extra minute or two here or there -- but I think
constructing your firewall rules via template is still worthwhile, and will
make sure you are using the features you need to be using.
Then it's just a "notify: restart iptables" away, and so forth.
It isn't that simple nor does Ansible handle this case. The rule chains
are additive across roles and order is important.
The basic process is:
- Base role: Setup firewall and insert base rules
- Role1 : add rules
- Role 2: add rules
- Playbook is done. Add closing rules. Restart and save iptables. This
spans inventory groups in addition to roles.
Yep this is exactly the point I'm making as why we shouldn't just drill
holes.
I think we're getting somewhere here.
Have you looked at the 'assemble' module for assembling a configuration
file out of fragments? This isn't ideal in this case nor generalically
applicable to Galaxy, but may be closer to what you are wanting.
Maybe there is another way to do it. That's fine. The point is that the
roles be able to add their own custom rules without having to understand
what other roles are doing. This is a common Unix idiom where there is a
"conf.d" directory and applications place custom file snippets in it. If
order is important then they are often named 01file, 02file, etc. This is
the pattern I am arguing for implementing as an Ansible module.
assemble is there to provide conf.d to systems that don't have it.
http://docs.ansible.com/assemble_module.html
I'm still against applying that generically for firewall setup to all
galaxy roles and believe people should make their own choices in this
regard.