Chapter 9. Configuring firewalld using System Roles
You can use the firewall
System Role to configure settings of the firewalld
service on multiple clients at once. This solution:
- Provides an interface with efficient input settings.
-
Keeps all intended
firewalld
parameters in one place.
After you run the firewall
role on the control node, the System Role applies the firewalld
parameters to the managed node immediately and makes them persistent across reboots.
9.1. Introduction to the firewall
RHEL System Role
RHEL System Roles is a set of contents for the Ansible automation utility. This content together with the Ansible automation utility provides a consistent configuration interface to remotely manage multiple systems.
The rhel-system-roles.firewall
role from the RHEL System Roles was introduced for automated configurations of the firewalld
service. The rhel-system-roles
package contains this System Role, and also the reference documentation.
To apply the firewalld
parameters on one or more systems in an automated fashion, use the firewall
System Role variable in a playbook. A playbook is a list of one or more plays that is written in the text-based YAML format.
You can use an inventory file to define a set of systems that you want Ansible to configure.
With the firewall
role you can configure many different firewalld
parameters, for example:
- Zones.
- The services for which packets should be allowed.
- Granting, rejection, or dropping of traffic access to ports.
- Forwarding of ports or port ranges for a zone.
Additional resources
-
README.md
andREADME.html
files in the/usr/share/doc/rhel-system-roles/firewall/
directory - Working with playbooks
- How to build your inventory
9.2. Resetting the firewalld settings using the firewall RHEL System Role
With the firewall
RHEL system role, you can reset the firewalld
settings to their default state. If you add the previous:replaced
parameter to the variable list, the System Role removes all existing user-defined settings and resets firewalld
to the defaults. If you combine the previous:replaced
parameter with other settings, the firewall
role removes all existing settings before applying new ones.
Perform this procedure on the Ansible control node.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on the them. - The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.
Procedure
Create a playbook file, for example
~/reset-firewalld.yml
, with the following content:--- - name: Reset firewalld example hosts: managed-node-01.example.com tasks: - name: Reset firewalld include_role: name: rhel-system-roles.firewall vars: firewall: - previous: replaced
Run the playbook:
# ansible-playbook ~/configuring-a-dmz.yml
Verification
Run this command as
root
on the managed node to check all the zones:# firewall-cmd --list-all-zones
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.firewall/README.md
-
ansible-playbook(1)
-
firewalld(1)
9.3. Forwarding incoming traffic from one local port to a different local port
With the firewall
role you can remotely configure firewalld
parameters with persisting effect on multiple managed hosts.
Perform this procedure on the Ansible control node.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on the them. - The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.
Procedure
Create a playbook file, for example
~/port_forwarding.yml
, with the following content:--- - name: Configure firewalld hosts: managed-node-01.example.com tasks: - name: Forward incoming traffic on port 8080 to 443 include_role: name: rhel-system-roles.firewall vars: firewall: - { forward_port: 8080/tcp;443;, state: enabled, runtime: true, permanent: true }
Run the playbook:
# ansible-playbook ~/port_forwarding.yml
Verification
On the managed host, display the
firewalld
settings:# firewall-cmd --list-forward-ports
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.firewall/README.md
9.4. Configuring ports using System Roles
You can use the RHEL firewall
System Role to open or close ports in the local firewall for incoming traffic and make the new configuration persist across reboots. For example you can configure the default zone to permit incoming traffic for the HTTPS service.
Perform this procedure on the Ansible control node.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on the them. - The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.
Procedure
Create a playbook file, for example
~/opening-a-port.yml
, with the following content:--- - name: Configure firewalld hosts: managed-node-01.example.com tasks: - name: Allow incoming HTTPS traffic to the local host include_role: name: rhel-system-roles.firewall vars: firewall: - port: 443/tcp service: http state: enabled runtime: true permanent: true
The
permanent: true
option makes the new settings persistent across reboots.Run the playbook:
# ansible-playbook ~/opening-a-port.yml
Verification
On the managed node, verify that the
443/tcp
port associated with theHTTPS
service is open:# firewall-cmd --list-ports 443/tcp
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.firewall/README.md
9.5. Configuring a DMZ firewalld zone by using the firewalld
RHEL System Role
As a system administrator, you can use the firewall
System Role to configure a dmz
zone on the enp1s0 interface to permit HTTPS
traffic to the zone. In this way, you enable external users to access your web servers.
Perform this procedure on the Ansible control node.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on the them. - The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.
Procedure
Create a playbook file, for example
~/configuring-a-dmz.yml
, with the following content:--- - name: Configure firewalld hosts: managed-node-01.example.com tasks: - name: Creating a DMZ with access to HTTPS port and masquerading for hosts in DMZ include_role: name: rhel-system-roles.firewall vars: firewall: - zone: dmz interface: enp1s0 service: https state: enabled runtime: true permanent: true
Run the playbook:
# ansible-playbook ~/configuring-a-dmz.yml
Verification
On the managed node, view detailed information about the
dmz
zone:# firewall-cmd --zone=dmz --list-all dmz (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: https ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks:
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.firewall/README.md