--- - block: - name: Ensure that the service is enabled and started service: name=firewalld state=started enabled=yes notify: Restart fail2ban - name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True when: firewalld_ssh_enabled_on_default_zone | bool - name: Set the firewalld default zone. command: firewall-cmd --set-default-zone={{ firewalld_default_zone }} - name: Add sources to the availability zones, if any firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True with_items: '{{ firewalld_src_rules | default([]) }}' - name: Assign interfaces to firewalld zones if needed firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent | default(True) }} state={{ item.state | default('enabled') }} immediate=True with_items: '{{ firewalld_zones_interfaces | default([]) }}' when: - firewalld_zones_interfaces is defined - item.interface is defined - item.zone is defined - name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True with_items: '{{ firewalld_rules }}' when: - firewalld_rules is defined - item.service is defined - name: Save the ports firewalld rules that need to be permanent firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True with_items: '{{ firewalld_rules }}' when: - firewalld_rules is defined - item.port is defined - item.protocol is defined - name: Save the rich_rules firewalld rules that need to be permanent firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True with_items: '{{ firewalld_rules }}' when: - firewalld_rules is defined - item.rich_rule is defined notify: Reload firewall config - name: Enable the firewall-cmd direct passthrough rules shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }} with_items: '{{ firewalld_direct_rules }}' args: creates: /etc/firewalld/.{{ item.label }} when: - firewalld_direct_rules is defined - item.action is defined - name: Set the firewall-cmd direct passthrough rules as permanent ones command: firewall-cmd --direct --permanent --passthrough {{ item.action }} with_items: '{{ firewalld_direct_rules }}' when: - firewalld_direct_rules is defined - item.action is defined - name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file command: firewall-cmd --new-service={{ item.name }} --permanent args: creates: '/etc/firewalld/services/{{ item.name }}.xml' with_items: '{{ firewalld_new_services }}' when: firewalld_new_services is defined notify: Reload firewall config - name: Install the custom firewall services copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml with_items: '{{ firewalld_new_services }}' when: firewalld_new_services is defined notify: Reload firewall config - name: Manage the custom services firewalld rules. firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True with_items: '{{ firewalld_new_services }}' when: - firewalld_new_services is defined - item.name is defined notify: Reload firewall config # Last one to not take ourselves out - name: Set the firewalld default zone. command: firewall-cmd --set-default-zone={{ firewalld_default_zone }} when: firewalld_enabled tags: [ 'iptables', 'firewall', 'firewalld' ]