Try SpotterManage arbitrary ports/services with firewalld
Authors: Adam Miller (@maxamillion)
Install with ansible-galaxy collection install codebuddy123.myfirstcollection:==1.0.0
collections:
- name: codebuddy123.myfirstcollection
version: 1.0.0This module allows for addition or deletion of services and ports (either TCP or UDP) in either running or permanent firewalld rules.
- name: permit traffic in default zone for https service
ansible.posix.firewalld:
service: https
permanent: true
state: enabled
- name: do not permit traffic in default zone on port 8081/tcp
ansible.posix.firewalld:
port: 8081/tcp
permanent: true
state: disabled
- ansible.posix.firewalld:
port: 161-162/udp
permanent: true
state: enabled
- ansible.posix.firewalld:
zone: dmz
service: http
permanent: true
state: enabled
- ansible.posix.firewalld:
rich_rule: rule service name="ftp" audit limit value="1/m" accept
permanent: true
state: enabled
- ansible.posix.firewalld:
source: 192.0.2.0/24
zone: internal
state: enabled
- ansible.posix.firewalld:
zone: trusted
interface: eth2
permanent: true
state: enabled
- ansible.posix.firewalld:
masquerade: true
state: enabled
permanent: true
zone: dmz
- ansible.posix.firewalld:
zone: custom
state: present
permanent: true
- ansible.posix.firewalld:
zone: drop
state: enabled
permanent: true
icmp_block_inversion: true
- ansible.posix.firewalld:
zone: drop
state: enabled
permanent: true
icmp_block: echo-request
- ansible.posix.firewalld:
zone: internal
state: present
permanent: true
target: ACCEPT
- name: Redirect port 443 to 8443 with Rich Rule
ansible.posix.firewalld:
rich_rule: rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443
zone: public
permanent: true
immediate: true
state: enabled
port:
description:
- Name of a port or port range to add/remove to/from firewalld.
- Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges.
type: str
zone:
description:
- The firewalld zone to add/remove to/from.
- Note that the default zone can be configured per system but C(public) is default
from upstream.
- Available choices can be extended based on per-system configs, listed here are "out
of the box" defaults.
- Possible values include C(block), C(dmz), C(drop), C(external), C(home), C(internal),
C(public), C(trusted), C(work).
type: str
state:
choices:
- absent
- disabled
- enabled
- present
description:
- Enable or disable a setting.
- 'For ports: Should this port accept (enabled) or reject (disabled) connections.'
- The states C(present) and C(absent) can only be used in zone level operations (i.e.
when no other parameters but zone and state are set).
required: true
type: str
source:
description:
- The source/network you would like to add/remove to/from firewalld.
type: str
target:
choices:
- default
- ACCEPT
- DROP
- '%%REJECT%%'
description:
- firewalld Zone target
- If state is set to C(absent), this will reset the target to default
type: str
version_added: 1.2.0
version_added_collection: codebuddy123.myfirstcollection
offline:
description:
- Whether to run this module even when firewalld is offline.
type: bool
service:
description:
- Name of a service to add/remove to/from firewalld.
- The service must be listed in output of firewall-cmd --get-services.
type: str
timeout:
default: 0
description:
- The amount of time in seconds the rule should be in effect for when non-permanent.
type: int
immediate:
default: false
description:
- Should this configuration be applied immediately, if set as permanent.
type: bool
interface:
description:
- The interface you would like to add/remove to/from a zone in firewalld.
type: str
permanent:
description:
- Should this configuration be in the running firewalld configuration or persist across
reboots.
- As of Ansible 2.3, permanent operations can operate on firewalld configs when it
is not running (requires firewalld >= 0.3.9).
- Note that if this is C(false), immediate is assumed C(true).
type: bool
rich_rule:
description:
- Rich rule to add/remove to/from firewalld.
- See L(Syntax for firewalld rich language rules,https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html).
type: str
icmp_block:
description:
- The ICMP block you would like to add/remove to/from a zone in firewalld.
type: str
masquerade:
description:
- The masquerade setting you would like to enable/disable to/from zones within firewalld.
type: str
port_forward:
description:
- Port and protocol to forward using firewalld.
elements: dict
suboptions:
port:
description:
- Source port to forward from
required: true
type: str
proto:
choices:
- udp
- tcp
description:
- protocol to forward
required: true
type: str
toaddr:
description:
- Optional address to forward to
type: str
toport:
description:
- destination port
required: true
type: str
type: list
icmp_block_inversion:
description:
- Enable/Disable inversion of ICMP blocks for a zone in firewalld.
type: str