92 lines
4.1 KiB
YAML
92 lines
4.1 KiB
YAML
---
|
|
- block:
|
|
- name: Ensure that the service is enabled and started
|
|
service: name=firewalld state=started enabled=yes
|
|
notify: Restart fail2ban
|
|
|
|
- name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses
|
|
firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True
|
|
when: firewalld_ssh_enabled_on_default_zone | bool
|
|
|
|
- name: Set the firewalld default zone.
|
|
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
|
|
|
|
- name: Add sources to the availability zones, if any
|
|
firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
|
|
with_items: '{{ firewalld_src_rules | default([]) }}'
|
|
|
|
- name: Assign interfaces to firewalld zones if needed
|
|
firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent | default(True) }} state={{ item.state | default('enabled') }} immediate=True
|
|
with_items: '{{ firewalld_zones_interfaces | default([]) }}'
|
|
when:
|
|
- firewalld_zones_interfaces is defined
|
|
- item.interface is defined
|
|
- item.zone is defined
|
|
|
|
- name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent
|
|
firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
|
with_items: '{{ firewalld_rules }}'
|
|
when:
|
|
- firewalld_rules is defined
|
|
- item.service is defined
|
|
|
|
- name: Save the ports firewalld rules that need to be permanent
|
|
firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
|
with_items: '{{ firewalld_rules }}'
|
|
when:
|
|
- firewalld_rules is defined
|
|
- item.port is defined
|
|
- item.protocol is defined
|
|
|
|
- name: Save the rich_rules firewalld rules that need to be permanent
|
|
firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
|
with_items: '{{ firewalld_rules }}'
|
|
when:
|
|
- firewalld_rules is defined
|
|
- item.rich_rule is defined
|
|
notify: Reload firewall config
|
|
|
|
- name: Enable the firewall-cmd direct passthrough rules
|
|
shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }}
|
|
with_items: '{{ firewalld_direct_rules }}'
|
|
args:
|
|
creates: /etc/firewalld/.{{ item.label }}
|
|
when:
|
|
- firewalld_direct_rules is defined
|
|
- item.action is defined
|
|
|
|
- name: Set the firewall-cmd direct passthrough rules as permanent ones
|
|
command: firewall-cmd --direct --permanent --passthrough {{ item.action }}
|
|
with_items: '{{ firewalld_direct_rules }}'
|
|
when:
|
|
- firewalld_direct_rules is defined
|
|
- item.action is defined
|
|
|
|
- name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file
|
|
command: firewall-cmd --new-service={{ item.name }} --permanent
|
|
args:
|
|
creates: '/etc/firewalld/services/{{ item.name }}.xml'
|
|
with_items: '{{ firewalld_new_services }}'
|
|
when: firewalld_new_services is defined
|
|
notify: Reload firewall config
|
|
|
|
- name: Install the custom firewall services
|
|
copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml
|
|
with_items: '{{ firewalld_new_services }}'
|
|
when: firewalld_new_services is defined
|
|
notify: Reload firewall config
|
|
|
|
- name: Manage the custom services firewalld rules.
|
|
firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
|
|
with_items: '{{ firewalld_new_services }}'
|
|
when:
|
|
- firewalld_new_services is defined
|
|
- item.name is defined
|
|
notify: Reload firewall config
|
|
|
|
# Last one to not take ourselves out
|
|
- name: Set the firewalld default zone.
|
|
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
|
|
|
|
tags: [ 'iptables', 'firewall', 'firewalld' ]
|