Try SpotterManage arbitrary ports/services with firewalld
Authors: Adam Miller (@maxamillion)
Install with ansible-galaxy collection install community.general:==0.2.1
collections:
- name: community.general
version: 0.2.1This module allows for addition or deletion of services and ports (either TCP or UDP) in either running or permanent firewalld rules.
- firewalld:
service: https
permanent: yes
state: enabled
- firewalld:
port: 8081/tcp
permanent: yes
state: disabled
- firewalld:
port: 161-162/udp
permanent: yes
state: enabled
- firewalld:
zone: dmz
service: http
permanent: yes
state: enabled
- firewalld:
rich_rule: rule service name="ftp" audit limit value="1/m" accept
permanent: yes
state: enabled
- firewalld:
source: 192.0.2.0/24
zone: internal
state: enabled
- firewalld:
zone: trusted
interface: eth2
permanent: yes
state: enabled
- firewalld:
masquerade: yes
state: enabled
permanent: yes
zone: dmz
- firewalld:
zone: custom
state: present
permanent: yes
- firewalld:
zone: drop
state: enabled
permanent: yes
icmp_block_inversion: yes
- firewalld:
zone: drop
state: enabled
permanent: yes
icmp_block: echo-request
- firewalld:
zone: internal
state: present
permanent: yes
target: ACCEPT
- name: Redirect port 443 to 8443 with Rich Rule
firewalld:
rich_rule: rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443
zone: public
permanent: yes
immediate: yes
state: enabled
port:
description:
- Name of a port or port range to add/remove to/from firewalld.
- Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges.
type: str
zone:
description:
- The firewalld zone to add/remove to/from.
- Note that the default zone can be configured per system but C(public) is default
from upstream.
- Available choices can be extended based on per-system configs, listed here are "out
of the box" defaults.
- Possible values include C(block), C(dmz), C(drop), C(external), C(home), C(internal),
C(public), C(trusted), C(work).
type: str
state:
choices:
- absent
- disabled
- enabled
- present
description:
- Enable or disable a setting.
- 'For ports: Should this port accept (enabled) or reject (disabled) connections.'
- The states C(present) and C(absent) can only be used in zone level operations (i.e.
when no other parameters but zone and state are set).
required: true
type: str
source:
description:
- The source/network you would like to add/remove to/from firewalld.
type: str
target:
choices:
- default
- ACCEPT
- DROP
- REJECT
description:
- firewalld Zone target
- If state is set to C(absent), this will reset the target to default
type: str
version_added: 0.2.0
version_added_collection: community.general
offline:
description:
- Whether to run this module even when firewalld is offline.
type: bool
service:
description:
- Name of a service to add/remove to/from firewalld.
- The service must be listed in output of firewall-cmd --get-services.
type: str
timeout:
default: 0
description:
- The amount of time the rule should be in effect for when non-permanent.
type: int
immediate:
default: false
description:
- Should this configuration be applied immediately, if set as permanent.
type: bool
interface:
description:
- The interface you would like to add/remove to/from a zone in firewalld.
type: str
permanent:
description:
- Should this configuration be in the running firewalld configuration or persist across
reboots.
- As of Ansible 2.3, permanent operations can operate on firewalld configs when it
is not running (requires firewalld >= 3.0.9).
- Note that if this is C(no), immediate is assumed C(yes).
type: bool
rich_rule:
description:
- Rich rule to add/remove to/from firewalld.
type: str
icmp_block:
description:
- The ICMP block you would like to add/remove to/from a zone in firewalld.
type: str
masquerade:
description:
- The masquerade setting you would like to enable/disable to/from zones within firewalld.
type: str
icmp_block_inversion:
description:
- Enable/Disable inversion of ICMP blocks for a zone in firewalld.
type: str