ansible / ansible.posix / 1.5.4 / module / firewalld Manage arbitrary ports/services with firewalld Authors: Adam Miller (@maxamillion)ansible.posix.firewalld (1.5.4) — module
Install with ansible-galaxy collection install ansible.posix:==1.5.4
collections: - name: ansible.posix version: 1.5.4
This module allows for addition or deletion of services and ports (either TCP or UDP) in either running or permanent firewalld rules.
- name: permit traffic in default zone for https service ansible.posix.firewalld: service: https permanent: true state: enabled
- name: permit ospf traffic ansible.posix.firewalld: protocol: ospf permanent: true state: enabled
- name: do not permit traffic in default zone on port 8081/tcp ansible.posix.firewalld: port: 8081/tcp permanent: true state: disabled
- ansible.posix.firewalld: port: 161-162/udp permanent: true state: enabled
- ansible.posix.firewalld: zone: dmz service: http permanent: true state: enabled
- ansible.posix.firewalld: rich_rule: rule service name="ftp" audit limit value="1/m" accept permanent: true state: enabled
- ansible.posix.firewalld: source: 192.0.2.0/24 zone: internal state: enabled
- ansible.posix.firewalld: zone: trusted interface: eth2 permanent: true state: enabled
- ansible.posix.firewalld: masquerade: true state: enabled permanent: true zone: dmz
- ansible.posix.firewalld: zone: custom state: present permanent: true
- ansible.posix.firewalld: zone: drop state: enabled permanent: true icmp_block_inversion: true
- ansible.posix.firewalld: zone: drop state: enabled permanent: true icmp_block: echo-request
- ansible.posix.firewalld: zone: internal state: present permanent: true target: ACCEPT
- name: Redirect port 443 to 8443 with Rich Rule ansible.posix.firewalld: rich_rule: rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443 zone: public permanent: true immediate: true state: enabled
port: description: - Name of a port or port range to add/remove to/from firewalld. - Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges. type: str zone: description: - The firewalld zone to add/remove to/from. - Note that the default zone can be configured per system but C(public) is default from upstream. - Available choices can be extended based on per-system configs, listed here are "out of the box" defaults. - Possible values include C(block), C(dmz), C(drop), C(external), C(home), C(internal), C(public), C(trusted), C(work). type: str state: choices: - absent - disabled - enabled - present description: - Enable or disable a setting. - 'For ports: Should this port accept (enabled) or reject (disabled) connections.' - The states C(present) and C(absent) can only be used in zone level operations (i.e. when no other parameters but zone and state are set). required: true type: str source: description: - The source/network you would like to add/remove to/from firewalld. type: str target: choices: - default - ACCEPT - DROP - '%%REJECT%%' description: - firewalld Zone target - If state is set to C(absent), this will reset the target to default type: str version_added: 1.2.0 version_added_collection: ansible.posix offline: description: - Whether to run this module even when firewalld is offline. type: bool service: description: - Name of a service to add/remove to/from firewalld. - The service must be listed in output of firewall-cmd --get-services. type: str timeout: default: 0 description: - The amount of time in seconds the rule should be in effect for when non-permanent. type: int protocol: description: - Name of a protocol to add/remove to/from firewalld. type: str immediate: default: false description: - Should this configuration be applied immediately, if set as permanent. type: bool interface: description: - The interface you would like to add/remove to/from a zone in firewalld. type: str permanent: description: - Should this configuration be in the running firewalld configuration or persist across reboots. - As of Ansible 2.3, permanent operations can operate on firewalld configs when it is not running (requires firewalld >= 0.3.9). - Note that if this is C(false), immediate is assumed C(true). type: bool rich_rule: description: - Rich rule to add/remove to/from firewalld. - See L(Syntax for firewalld rich language rules,https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html). type: str icmp_block: description: - The ICMP block you would like to add/remove to/from a zone in firewalld. type: str masquerade: description: - The masquerade setting you would like to enable/disable to/from zones within firewalld. type: str port_forward: description: - Port and protocol to forward using firewalld. elements: dict suboptions: port: description: - Source port to forward from required: true type: str proto: choices: - udp - tcp description: - protocol to forward required: true type: str toaddr: description: - Optional address to forward to type: str toport: description: - destination port required: true type: str type: list icmp_block_inversion: description: - Enable/Disable inversion of ICMP blocks for a zone in firewalld. type: str