Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firewalld: Support policy objects #284

Open
klausenbusk opened this issue Oct 27, 2021 · 4 comments
Open

firewalld: Support policy objects #284

klausenbusk opened this issue Oct 27, 2021 · 4 comments
Labels
feature This issue/PR relates to a feature request. firewalld synchronize Issue and PR for firewalld module waiting_on_contributor Needs help. Feel free to engage to get things unblocked

Comments

@klausenbusk
Copy link

SUMMARY

Firewalld supports "Policy Objects" since v0.9.0:

With some exceptions (e.g. masquerade, forward-ports) firewalld was previously limited to being an end-station firewall. This meant you could not use it to filter traffic flowing between virtual machines, containers, and zones. A subset of that functionality was available by using the direct interface and writing your own iptables rules, but it wasn’t a great user experience.

What is needed is a way to apply a policy for traffic flowing between zones. Then the user can attach firewalld’s primitives: services, ports, rich rules, etc. to the policy. The end result is something that provides a very similar user interface to zones, but is much more powerful.

Source: https://firewalld.org/2020/09/policy-objects-introduction

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

firewalld

ADDITIONAL INFORMATION

Two informative blog posts:

Our use-case is similar to the latter blog post (traffic between virtual machines and Wireguard tunnels).

- name: create foo policy
  firewalld: policy=foo permanent=yes state=present
  register: result

- name: reload firewalld
  service: name=firewalld state=reloaded
  when: result.changed

- name: set ingress zone for the foo policy
  firewalld: policy=foo ingress_zone=public permanent=yes immediate=yes state=enabled

- name: set egress zone for the foo policy
  firewalld: policy=foo egress_zone=public permanent=yes immediate=yes state=enabled
@saito-hideki
Copy link
Collaborator

Hi @klausenbusk
Thank you for reporting this feature request!

@saito-hideki saito-hideki added feature This issue/PR relates to a feature request. waiting_on_contributor Needs help. Feel free to engage to get things unblocked labels Nov 1, 2021
@benblasco
Copy link

I don't have the development skills for this feature, but would be very happy to contribute to the documentation. If anybody wants to collaborate on this, please let me know!

@ziegenberg
Copy link
Contributor

Hi @vrindle, almost a year ago you announced in #249 (comment) replacing the Ansible Posix Firewalld module with the current module in the Firewalld system role. Is this going to happen? I'm looking forward to implementing a fix for this issue, but I would not want to code stuff, that is going out the window soon.

Both, the current module in the Firewalld system role and the Ansible Posix Firewalld module are missing support for policy objects at the moment.

@ziegenberg
Copy link
Contributor

ziegenberg commented Aug 3, 2022

There are also a couple of open PRs (#160, #249, #320) regarding the firewall module. Are they going to be merged soon?

@saito-hideki saito-hideki added the firewalld synchronize Issue and PR for firewalld module label Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature This issue/PR relates to a feature request. firewalld synchronize Issue and PR for firewalld module waiting_on_contributor Needs help. Feel free to engage to get things unblocked
Projects
None yet
Development

No branches or pull requests

4 participants