Hi,
I’m currently configuring FirewallD on a router running Rocky Linux, and so far the configuration looks nice. Here’s my corresponding role :
--- # configure_firewalld/tasks/main.yml
###################
# Basic FirewallD #
###################
- name: Check network parameters
ansible.builtin.assert:
that:
- interface_wan is defined
- interface_lan is defined
fail_msg: Missing network parameter
- name: Install FirewallD
ansible.builtin.dnf:
name: firewalld
state: present
- name: Enable and start FirewallD
ansible.builtin.service:
name: firewalld
enabled: true
state: started
- name: Associate external zone to WAN network interface
ansible.posix.firewalld:
zone: external
interface: "{{interface_wan}}"
state: enabled
permanent: true
immediate: true
- name: Associate internal zone to LAN network interface
ansible.posix.firewalld:
zone: internal
interface: "{{interface_lan}}"
state: enabled
permanent: true
immediate: true
- name: Enable IP masquerading
ansible.posix.firewalld:
masquerade: true
state: enabled
zone: internal
permanent: true
immediate: true
- name: Remove all predefined services except SSH from internal zone
ansible.posix.firewalld:
zone: internal
service: "{{item}}"
state: disabled
permanent: true
immediate: true
loop:
- cockpit
- dhcpv6-client
- mdns
- samba-client
# We're doing this here since Dnsmasq is already up & running
- name: Allow DNS & DHCP
ansible.posix.firewalld:
zone: internal
service: "{{item}}"
state: enabled
permanent: true
immediate: true
loop:
- dns
- dhcp
...
So far this configuration works as expected. But there’s only little detail that I couldn’t figure out. I can’t seem to do this:
# firewall-cmd --set-default-zone=internal
Is this a bug in the ansible.posix.firewalld
module? It’s not really a showstopper, since I can still display my firewall configuration by specifying the zone explicitly.
Any suggestions?