firewalld – Manage arbitrary ports/services with firewalld¶
Synopsis¶
- This module allows for addition or deletion of services and ports (either TCP or UDP) in either running or permanent firewalld rules.
Requirements¶
The below requirements are needed on the host that executes this module.
- firewalld >= 0.2.11
Parameters¶
Notes¶
Note
- Not tested on any Debian based system.
- Requires the python2 bindings of firewalld, which may not be installed by default.
- For distributions where the python2 firewalld bindings are unavailable (e.g Fedora 28 and later) you will have to set the ansible_python_interpreter for these hosts to the python3 interpreter path and install the python3 bindings.
- Zone transactions (creating, deleting) can be performed by using only the zone and state parameters “present” or “absent”. Note that zone transactions must explicitly be permanent. This is a limitation in firewalld. This also means that you will have to reload firewalld after adding a zone that you wish to perform immediate actions on. The module will not take care of this for you implicitly because that would undo any previously performed immediate actions which were not permanent. Therefore, if you require immediate access to a newly created zone it is recommended you reload firewalld immediately after the zone creation returns with a changed state and before you perform any other immediate, non-permanent actions on that zone.
Examples¶
- firewalld:
    service: https
    permanent: yes
    state: enabled
- firewalld:
    port: 8081/tcp
    permanent: yes
    state: disabled
- firewalld:
    port: 161-162/udp
    permanent: yes
    state: enabled
- firewalld:
    zone: dmz
    service: http
    permanent: yes
    state: enabled
- firewalld:
    rich_rule: rule service name="ftp" audit limit value="1/m" accept
    permanent: yes
    state: enabled
- firewalld:
    source: 192.0.2.0/24
    zone: internal
    state: enabled
- firewalld:
    zone: trusted
    interface: eth2
    permanent: yes
    state: enabled
- firewalld:
    masquerade: yes
    state: enabled
    permanent: yes
    zone: dmz
- firewalld:
    zone: custom
    state: present
    permanent: yes
- firewalld:
    zone: drop
    state: present
    permanent: yes
    icmp_block_inversion: yes
- firewalld:
    zone: drop
    state: present
    permanent: yes
    icmp_block: echo-request
- name: Redirect port 443 to 8443 with Rich Rule
  firewalld:
    rich_rule: rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443
    zone: public
    permanent: yes
    immediate: yes
    state: enabled
Status¶
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors¶
- Adam Miller (@maxamillion)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
