-
Notifications
You must be signed in to change notification settings - Fork 32
/
.README.html
974 lines (962 loc) · 99.1 KB
/
.README.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
<!DOCTYPE html>
<!--
==============================================================================
"GitHub HTML5 Pandoc Template" v2.2 — by Tristano Ajmone
==============================================================================
Copyright © Tristano Ajmone, 2017-2020, MIT License (MIT). Project's home:
- https://github.com/tajmone/pandoc-goodies
The CSS in this template reuses source code taken from the following projects:
- GitHub Markdown CSS: Copyright © Sindre Sorhus, MIT License (MIT):
https://github.com/sindresorhus/github-markdown-css
- Primer CSS: Copyright © 2016-2017 GitHub Inc., MIT License (MIT):
http://primercss.io/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The MIT License
Copyright (c) Tristano Ajmone, 2017-2020 (github.com/tajmone/pandoc-goodies)
Copyright (c) Sindre Sorhus <[email protected]> (sindresorhus.com)
Copyright (c) 2017 GitHub Inc.
"GitHub Pandoc HTML5 Template" is Copyright (c) Tristano Ajmone, 2017-2020,
released under the MIT License (MIT); it contains readaptations of substantial
portions of the following third party softwares:
(1) "GitHub Markdown CSS", Copyright (c) Sindre Sorhus, MIT License (MIT).
(2) "Primer CSS", Copyright (c) 2016 GitHub Inc., MIT License (MIT).
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
==============================================================================-->
<html>
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>firewall</title>
<style type="text/css">
@charset "UTF-8";.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;color:#24292e;font-family:-apple-system,system-ui,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;line-height:1.5;word-wrap:break-word;box-sizing:border-box;min-width:200px;margin:0 auto;padding:45px}.markdown-body a{color:#0366d6;background-color:transparent;text-decoration:none;-webkit-text-decoration-skip:objects}.markdown-body a:active,.markdown-body a:hover{outline-width:0}.markdown-body a:hover{text-decoration:underline}.markdown-body a:not([href]){color:inherit;text-decoration:none}.markdown-body strong{font-weight:600}.markdown-body h1,.markdown-body h2,.markdown-body h3,.markdown-body h4,.markdown-body h5,.markdown-body h6{margin-top:24px;margin-bottom:16px;font-weight:600;line-height:1.25}.markdown-body h1{font-size:2em;margin:.67em 0;padding-bottom:.3em;border-bottom:1px solid #eaecef}.markdown-body h2{padding-bottom:.3em;font-size:1.5em;border-bottom:1px solid #eaecef}.markdown-body h3{font-size:1.25em}.markdown-body h4{font-size:1em}.markdown-body h5{font-size:.875em}.markdown-body h6{font-size:.85em;color:#6a737d}.markdown-body img{border-style:none}.markdown-body svg:not(:root){overflow:hidden}.markdown-body hr{box-sizing:content-box;height:.25em;margin:24px 0;padding:0;overflow:hidden;background-color:#e1e4e8;border:0}.markdown-body hr::before{display:table;content:""}.markdown-body hr::after{display:table;clear:both;content:""}.markdown-body input{margin:0;overflow:visible;font:inherit;font-family:inherit;font-size:inherit;line-height:inherit}.markdown-body [type=checkbox]{box-sizing:border-box;padding:0}.markdown-body *{box-sizing:border-box}.markdown-body blockquote{margin:0}.markdown-body ol,.markdown-body ul{padding-left:2em}.markdown-body ol ol,.markdown-body ul ol{list-style-type:lower-roman}.markdown-body ol ol,.markdown-body ol ul,.markdown-body ul ol,.markdown-body ul ul{margin-top:0;margin-bottom:0}.markdown-body ol ol ol,.markdown-body ol ul ol,.markdown-body ul ol ol,.markdown-body ul ul ol{list-style-type:lower-alpha}.markdown-body li>p{margin-top:16px}.markdown-body li+li{margin-top:.25em}.markdown-body dd{margin-left:0}.markdown-body dl{padding:0}.markdown-body dl dt{padding:0;margin-top:16px;font-size:1em;font-style:italic;font-weight:600}.markdown-body dl dd{padding:0 16px;margin-bottom:16px}.markdown-body code{font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace}.markdown-body pre{font:12px SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;word-wrap:normal}.markdown-body blockquote,.markdown-body dl,.markdown-body ol,.markdown-body p,.markdown-body pre,.markdown-body table,.markdown-body ul{margin-top:0;margin-bottom:16px}.markdown-body blockquote{padding:0 1em;color:#6a737d;border-left:.25em solid #dfe2e5}.markdown-body blockquote>:first-child{margin-top:0}.markdown-body blockquote>:last-child{margin-bottom:0}.markdown-body table{display:block;width:100%;overflow:auto;border-spacing:0;border-collapse:collapse}.markdown-body table th{font-weight:600}.markdown-body table td,.markdown-body table th{padding:6px 13px;border:1px solid #dfe2e5}.markdown-body table tr{background-color:#fff;border-top:1px solid #c6cbd1}.markdown-body table tr:nth-child(2n){background-color:#f6f8fa}.markdown-body img{max-width:100%;box-sizing:content-box;background-color:#fff}.markdown-body code{padding:.2em 0;margin:0;font-size:85%;background-color:rgba(27,31,35,.05);border-radius:3px}.markdown-body code::after,.markdown-body code::before{letter-spacing:-.2em;content:" "}.markdown-body pre>code{padding:0;margin:0;font-size:100%;word-break:normal;white-space:pre;background:0 0;border:0}.markdown-body .highlight{margin-bottom:16px}.markdown-body .highlight pre{margin-bottom:0;word-break:normal}.markdown-body .highlight pre,.markdown-body pre{padding:16px;overflow:auto;font-size:85%;line-height:1.45;background-color:#f6f8fa;border-radius:3px}.markdown-body pre code{display:inline;max-width:auto;padding:0;margin:0;overflow:visible;line-height:inherit;word-wrap:normal;background-color:transparent;border:0}.markdown-body pre code::after,.markdown-body pre code::before{content:normal}.markdown-body .full-commit .btn-outline:not(:disabled):hover{color:#005cc5;border-color:#005cc5}.markdown-body kbd{box-shadow:inset 0 -1px 0 #959da5;display:inline-block;padding:3px 5px;font:11px/10px SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;color:#444d56;vertical-align:middle;background-color:#fcfcfc;border:1px solid #c6cbd1;border-bottom-color:#959da5;border-radius:3px;box-shadow:inset 0 -1px 0 #959da5}.markdown-body :checked+.radio-label{position:relative;z-index:1;border-color:#0366d6}.markdown-body .task-list-item{list-style-type:none}.markdown-body .task-list-item+.task-list-item{margin-top:3px}.markdown-body .task-list-item input{margin:0 .2em .25em -1.6em;vertical-align:middle}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>:first-child{margin-top:0!important}.markdown-body>:last-child{margin-bottom:0!important}.Alert,.Error,.Note,.Success,.Warning{padding:11px;margin-bottom:24px;border-style:solid;border-width:1px;border-radius:4px}.Alert p,.Error p,.Note p,.Success p,.Warning p{margin-top:0}.Alert p:last-child,.Error p:last-child,.Note p:last-child,.Success p:last-child,.Warning p:last-child{margin-bottom:0}.Alert{color:#246;background-color:#e2eef9;border-color:#bac6d3}.Warning{color:#4c4a42;background-color:#fff9ea;border-color:#dfd8c2}.Error{color:#911;background-color:#fcdede;border-color:#d2b2b2}.Success{color:#22662c;background-color:#e2f9e5;border-color:#bad3be}.Note{color:#2f363d;background-color:#f6f8fa;border-color:#d5d8da}.Alert h1,.Alert h2,.Alert h3,.Alert h4,.Alert h5,.Alert h6{color:#246;margin-bottom:0}.Warning h1,.Warning h2,.Warning h3,.Warning h4,.Warning h5,.Warning h6{color:#4c4a42;margin-bottom:0}.Error h1,.Error h2,.Error h3,.Error h4,.Error h5,.Error h6{color:#911;margin-bottom:0}.Success h1,.Success h2,.Success h3,.Success h4,.Success h5,.Success h6{color:#22662c;margin-bottom:0}.Note h1,.Note h2,.Note h3,.Note h4,.Note h5,.Note h6{color:#2f363d;margin-bottom:0}.Alert h1:first-child,.Alert h2:first-child,.Alert h3:first-child,.Alert h4:first-child,.Alert h5:first-child,.Alert h6:first-child,.Error h1:first-child,.Error h2:first-child,.Error h3:first-child,.Error h4:first-child,.Error h5:first-child,.Error h6:first-child,.Note h1:first-child,.Note h2:first-child,.Note h3:first-child,.Note h4:first-child,.Note h5:first-child,.Note h6:first-child,.Success h1:first-child,.Success h2:first-child,.Success h3:first-child,.Success h4:first-child,.Success h5:first-child,.Success h6:first-child,.Warning h1:first-child,.Warning h2:first-child,.Warning h3:first-child,.Warning h4:first-child,.Warning h5:first-child,.Warning h6:first-child{margin-top:0}h1.title,p.subtitle{text-align:center}h1.title.followed-by-subtitle{margin-bottom:0}p.subtitle{font-size:1.5em;font-weight:600;line-height:1.25;margin-top:0;margin-bottom:16px;padding-bottom:.3em}div.line-block{white-space:pre-line}
</style>
<style type="text/css">code{white-space: pre;}</style>
<style type="text/css">
pre > code.sourceCode { white-space: pre; position: relative; }
pre > code.sourceCode > span { line-height: 1.25; }
pre > code.sourceCode > span:empty { height: 1.2em; }
.sourceCode { overflow: visible; }
code.sourceCode > span { color: inherit; text-decoration: inherit; }
div.sourceCode { margin: 1em 0; }
pre.sourceCode { margin: 0; }
@media screen {
div.sourceCode { overflow: auto; }
}
@media print {
pre > code.sourceCode { white-space: pre-wrap; }
pre > code.sourceCode > span { display: inline-block; text-indent: -5em; padding-left: 5em; }
}
pre.numberSource code
{ counter-reset: source-line 0; }
pre.numberSource code > span
{ position: relative; left: -4em; counter-increment: source-line; }
pre.numberSource code > span > a:first-child::before
{ content: counter(source-line);
position: relative; left: -1em; text-align: right; vertical-align: baseline;
border: none; display: inline-block;
-webkit-touch-callout: none; -webkit-user-select: none;
-khtml-user-select: none; -moz-user-select: none;
-ms-user-select: none; user-select: none;
padding: 0 4px; width: 4em;
color: #aaaaaa;
}
pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; }
div.sourceCode
{ }
@media screen {
pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
}
code span.al { color: #ff0000; font-weight: bold; } /* Alert */
code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
code span.at { color: #7d9029; } /* Attribute */
code span.bn { color: #40a070; } /* BaseN */
code span.bu { color: #008000; } /* BuiltIn */
code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
code span.ch { color: #4070a0; } /* Char */
code span.cn { color: #880000; } /* Constant */
code span.co { color: #60a0b0; font-style: italic; } /* Comment */
code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
code span.do { color: #ba2121; font-style: italic; } /* Documentation */
code span.dt { color: #902000; } /* DataType */
code span.dv { color: #40a070; } /* DecVal */
code span.er { color: #ff0000; font-weight: bold; } /* Error */
code span.ex { } /* Extension */
code span.fl { color: #40a070; } /* Float */
code span.fu { color: #06287e; } /* Function */
code span.im { color: #008000; font-weight: bold; } /* Import */
code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
code span.kw { color: #007020; font-weight: bold; } /* Keyword */
code span.op { color: #666666; } /* Operator */
code span.ot { color: #007020; } /* Other */
code span.pp { color: #bc7a00; } /* Preprocessor */
code span.sc { color: #4070a0; } /* SpecialChar */
code span.ss { color: #bb6688; } /* SpecialString */
code span.st { color: #4070a0; } /* String */
code span.va { color: #19177c; } /* Variable */
code span.vs { color: #4070a0; } /* VerbatimString */
code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
</style>
<!--[if lt IE 9]>
<script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
<![endif]-->
</head>
<body>
<article class="markdown-body">
<header>
<h1 class="title">firewall</h1>
</header>
<hr>
<nav id="TOC">
<h1 class="toc-title">Contents</h1>
<ul>
<li><a href="#supported-distributions"
id="toc-supported-distributions">Supported Distributions</a></li>
<li><a href="#requirements" id="toc-requirements">Requirements</a>
<ul>
<li><a href="#collection-requirements"
id="toc-collection-requirements">Collection requirements</a></li>
</ul></li>
<li><a href="#limitations" id="toc-limitations">Limitations</a>
<ul>
<li><a href="#configuration-over-network"
id="toc-configuration-over-network">Configuration over Network</a></li>
<li><a href="#the-error-case" id="toc-the-error-case">The Error
Case</a></li>
</ul></li>
<li><a href="#gathering-firewall-ansible-facts"
id="toc-gathering-firewall-ansible-facts">Gathering firewall ansible
facts</a>
<ul>
<li><a href="#available-ansible-facts"
id="toc-available-ansible-facts">Available ansible facts</a>
<ul>
<li><a href="#firewall_config"
id="toc-firewall_config">firewall_config</a></li>
<li><a href="#default" id="toc-default">default</a></li>
<li><a href="#custom" id="toc-custom">custom</a></li>
</ul></li>
</ul></li>
<li><a href="#variables" id="toc-variables">Variables</a>
<ul>
<li><a href="#firewall_disable_conflicting_services"
id="toc-firewall_disable_conflicting_services">firewall_disable_conflicting_services</a></li>
<li><a href="#firewall-1" id="toc-firewall-1">firewall</a>
<ul>
<li><a href="#firewalld_conf"
id="toc-firewalld_conf">firewalld_conf</a></li>
<li><a href="#supported-directives"
id="toc-supported-directives">Supported Directives</a></li>
</ul></li>
<li><a href="#set_default_zone"
id="toc-set_default_zone">set_default_zone</a></li>
<li><a href="#zone" id="toc-zone">zone</a></li>
<li><a href="#service" id="toc-service">service</a>
<ul>
<li><a href="#user-defined-services"
id="toc-user-defined-services">User-defined services</a></li>
</ul></li>
<li><a href="#ipset" id="toc-ipset">ipset</a></li>
<li><a href="#port" id="toc-port">port</a></li>
<li><a href="#ipset_type" id="toc-ipset_type">ipset_type</a></li>
<li><a href="#ipset_entries"
id="toc-ipset_entries">ipset_entries</a></li>
<li><a href="#source_port" id="toc-source_port">source_port</a></li>
<li><a href="#forward_port" id="toc-forward_port">forward_port</a></li>
<li><a href="#masquerade" id="toc-masquerade">masquerade</a></li>
<li><a href="#rich_rule" id="toc-rich_rule">rich_rule</a></li>
<li><a href="#source" id="toc-source">source</a></li>
<li><a href="#interface" id="toc-interface">interface</a></li>
<li><a href="#interface_pci_id"
id="toc-interface_pci_id">interface_pci_id</a></li>
<li><a href="#icmp_block" id="toc-icmp_block">icmp_block</a></li>
<li><a href="#icmp_block_inversion"
id="toc-icmp_block_inversion">icmp_block_inversion</a></li>
<li><a href="#target" id="toc-target">target</a></li>
<li><a href="#short" id="toc-short">short</a></li>
<li><a href="#description" id="toc-description">description</a></li>
<li><a href="#destination" id="toc-destination">destination</a></li>
<li><a href="#helper_module"
id="toc-helper_module">helper_module</a></li>
<li><a href="#timeout" id="toc-timeout">timeout</a></li>
<li><a href="#state" id="toc-state">state</a></li>
<li><a href="#runtime" id="toc-runtime">runtime</a></li>
<li><a href="#permanent" id="toc-permanent">permanent</a></li>
<li><a href="#previous" id="toc-previous">previous</a></li>
<li><a href="#firewall_transactional_update_reboot_ok"
id="toc-firewall_transactional_update_reboot_ok">firewall_transactional_update_reboot_ok</a></li>
</ul></li>
<li><a href="#examples-of-options" id="toc-examples-of-options">Examples
of Options</a></li>
<li><a href="#example-playbooks" id="toc-example-playbooks">Example
Playbooks</a></li>
<li><a href="#rpm-ostree" id="toc-rpm-ostree">rpm-ostree</a></li>
<li><a href="#authors" id="toc-authors">Authors</a></li>
<li><a href="#license" id="toc-license">License</a></li>
</ul>
</nav>
<hr>
<p>This role configures the firewall on machines that are using
firewalld. If firewalld is not in use, the role will install (if not
already installed), unmask, and enable firewalld.</p>
<p>The role can also attempt to disable known conflicting services.</p>
<p>For the configuration the role uses the firewalld client interface
which is available in RHEL-7 and later.</p>
<h1 id="supported-distributions">Supported Distributions</h1>
<ul>
<li>RHEL-7+, CentOS-7+</li>
<li>Fedora</li>
</ul>
<h1 id="requirements">Requirements</h1>
<p>See below</p>
<h2 id="collection-requirements">Collection requirements</h2>
<p>The role requires external collections only for management of
<code>rpm-ostree</code> nodes. Please run the following command to
install them if you need to manage <code>rpm-ostree</code> nodes:</p>
<div class="sourceCode" id="cb1"><pre
class="sourceCode bash"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="ex">ansible-galaxy</span> collection install <span class="at">-vv</span> <span class="at">-r</span> meta/collection-requirements.yml</span></code></pre></div>
<h1 id="limitations">Limitations</h1>
<h2 id="configuration-over-network">Configuration over Network</h2>
<p>The configuration of the firewall could limit access to the machine
over the network. Therefore it is needed to make sure that the SSH port
is still accessible for the ansible server.</p>
<h2 id="the-error-case">The Error Case</h2>
<p>WARNING: If the configuration failed or if the firewall configuration
limits access to the machine in a bad way, it is most likely be needed
to get physical access to the machine to fix the issue.</p>
<h1 id="gathering-firewall-ansible-facts">Gathering firewall ansible
facts</h1>
<p>To gather the firewall system role's ansible facts, call the system
role with no arguments e.g.</p>
<div class="sourceCode" id="cb2"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a><span class="fu">vars</span><span class="kw">:</span></span>
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">firewall</span><span class="kw">:</span></span></code></pre></div>
<p>Another option is to gather a more detailed version of the ansible
facts by using the detailed argument e.g.</p>
<div class="sourceCode" id="cb3"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb3-1"><a href="#cb3-1" aria-hidden="true" tabindex="-1"></a><span class="fu">vars</span><span class="kw">:</span></span>
<span id="cb3-2"><a href="#cb3-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb3-3"><a href="#cb3-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">detailed</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p><strong>WARNING</strong>: <code>firewall_config</code> uses
considerably more memory (+ ~165KB) when <code>detailed=True</code>. For
reference, by default, <code>firewall_config</code> takes ~3KB when
converted to a string.</p>
<h2 id="available-ansible-facts">Available ansible facts</h2>
<h3 id="firewall_config">firewall_config</h3>
<p>This ansible fact shows the permanent configuration of of firewalld
on the managed node in dictionary format. The top level of the fact is
made up of three keys:</p>
<ul>
<li><code>default</code></li>
<li><code>custom</code></li>
<li><code>default_zone</code></li>
</ul>
<p>Each dictionaries custom and default have the keys:</p>
<ul>
<li><code>zones</code></li>
<li><code>services</code></li>
<li><code>icmptypes</code></li>
<li><code>helpers</code></li>
<li><code>ipsets</code></li>
<li><code>policies</code> (if supported by remote host's firewalld
installation)</li>
</ul>
<p>Each of the keys contains a list of elements present in permanent
configuration for each respective option.</p>
<p><code>custom</code> will have a list of subdictionaries for each key,
providing a more detailed description.</p>
<p><code>default</code> will have only the names of each setting, unless
the detailed option is supplied, in which case it will be structured in
the same manner as custom.</p>
<p><code>default_zone</code> contains the configured default zone for
the managed node's firewalld installation. It is a string value.</p>
<p>JSON representation of the structure of firewall_config fact:</p>
<div class="sourceCode" id="cb4"><pre
class="sourceCode json"><code class="sourceCode json"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a><span class="fu">{</span></span>
<span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a> <span class="dt">"default"</span><span class="fu">:</span> <span class="fu">{</span><span class="er">...</span><span class="fu">},</span></span>
<span id="cb4-3"><a href="#cb4-3" aria-hidden="true" tabindex="-1"></a> <span class="dt">"custom"</span><span class="fu">:</span> <span class="fu">{</span><span class="er">...</span><span class="fu">},</span></span>
<span id="cb4-4"><a href="#cb4-4" aria-hidden="true" tabindex="-1"></a> <span class="dt">"default_zone"</span><span class="fu">:</span> <span class="st">"public"</span><span class="fu">,</span></span>
<span id="cb4-5"><a href="#cb4-5" aria-hidden="true" tabindex="-1"></a><span class="fu">}</span></span></code></pre></div>
<h3 id="default">default</h3>
<p>The default subdictionary of firewall_config contains the default
configuration for the managed node's firewalld configuration. This
subdictionary only changes with changes to the managed node's firewalld
installation.</p>
<p>default without detailed parameter set to true</p>
<div class="sourceCode" id="cb5"><pre
class="sourceCode json"><code class="sourceCode json"><span id="cb5-1"><a href="#cb5-1" aria-hidden="true" tabindex="-1"></a><span class="er">"default":</span> <span class="fu">{</span></span>
<span id="cb5-2"><a href="#cb5-2" aria-hidden="true" tabindex="-1"></a> <span class="dt">"zones"</span><span class="fu">:</span> <span class="ot">[</span><span class="st">"public"</span><span class="ot">,</span><span class="er">...</span><span class="ot">]</span><span class="fu">,</span></span>
<span id="cb5-3"><a href="#cb5-3" aria-hidden="true" tabindex="-1"></a> <span class="dt">"services"</span><span class="fu">:</span> <span class="ot">[</span><span class="st">"amanda_client"</span><span class="ot">,</span><span class="er">...</span><span class="ot">]</span><span class="fu">,</span></span>
<span id="cb5-4"><a href="#cb5-4" aria-hidden="true" tabindex="-1"></a> <span class="dt">"icmptypes"</span><span class="fu">:</span> <span class="ot">[</span><span class="er">...</span><span class="ot">]</span><span class="fu">,</span></span>
<span id="cb5-5"><a href="#cb5-5" aria-hidden="true" tabindex="-1"></a> <span class="dt">"helpers"</span><span class="fu">:</span> <span class="ot">[</span><span class="er">...</span><span class="ot">]</span><span class="fu">,</span></span>
<span id="cb5-6"><a href="#cb5-6" aria-hidden="true" tabindex="-1"></a> <span class="dt">"ipsets"</span><span class="fu">:</span> <span class="ot">[</span><span class="er">...</span><span class="ot">]</span><span class="fu">,</span></span>
<span id="cb5-7"><a href="#cb5-7" aria-hidden="true" tabindex="-1"></a> <span class="dt">"policies"</span><span class="fu">:</span> <span class="ot">[</span><span class="er">...</span><span class="ot">]</span><span class="fu">,</span></span>
<span id="cb5-8"><a href="#cb5-8" aria-hidden="true" tabindex="-1"></a><span class="fu">}</span></span></code></pre></div>
<p>default when parameter set to true</p>
<div class="sourceCode" id="cb6"><pre
class="sourceCode json"><code class="sourceCode json"><span id="cb6-1"><a href="#cb6-1" aria-hidden="true" tabindex="-1"></a><span class="er">"default":</span> <span class="fu">{</span></span>
<span id="cb6-2"><a href="#cb6-2" aria-hidden="true" tabindex="-1"></a> <span class="dt">"zones"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb6-3"><a href="#cb6-3" aria-hidden="true" tabindex="-1"></a> <span class="dt">"public"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb6-4"><a href="#cb6-4" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb6-5"><a href="#cb6-5" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb6-6"><a href="#cb6-6" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb6-7"><a href="#cb6-7" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb6-8"><a href="#cb6-8" aria-hidden="true" tabindex="-1"></a> <span class="dt">"services"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb6-9"><a href="#cb6-9" aria-hidden="true" tabindex="-1"></a> <span class="dt">"amanda_client"</span><span class="fu">:{</span></span>
<span id="cb6-10"><a href="#cb6-10" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb6-11"><a href="#cb6-11" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb6-12"><a href="#cb6-12" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb6-13"><a href="#cb6-13" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb6-14"><a href="#cb6-14" aria-hidden="true" tabindex="-1"></a> <span class="dt">"icmptypes"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb6-15"><a href="#cb6-15" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb6-16"><a href="#cb6-16" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb6-17"><a href="#cb6-17" aria-hidden="true" tabindex="-1"></a> <span class="dt">"helpers"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb6-18"><a href="#cb6-18" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb6-19"><a href="#cb6-19" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb6-20"><a href="#cb6-20" aria-hidden="true" tabindex="-1"></a> <span class="dt">"ipsets"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb6-21"><a href="#cb6-21" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb6-22"><a href="#cb6-22" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb6-23"><a href="#cb6-23" aria-hidden="true" tabindex="-1"></a> <span class="dt">"policies"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb6-24"><a href="#cb6-24" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb6-25"><a href="#cb6-25" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb6-26"><a href="#cb6-26" aria-hidden="true" tabindex="-1"></a><span class="fu">}</span></span></code></pre></div>
<h3 id="custom">custom</h3>
<p>The custom subdictionary contains any differences from the default
firewalld configuration. This includes a repeat for a default element if
that element has been modified in any way, and any new elements
introduced in addition to the defaults.</p>
<p>This subdictionary will be modified by any changes to the firewalld
installation done locally or remotely via the firewall system role.</p>
<p>If the managed nodes firewalld settings are not different from the
defaults, the custom key and subdictionary will not be present in
firewall_config. Additionally, if any of firewalld's settings have not
changed from the default, there will not be a key-value pair for that
setting in custom.</p>
<p>Below is the state of the custom subdictionary where at least one
permanent change was made to each setting:</p>
<div class="sourceCode" id="cb7"><pre
class="sourceCode json"><code class="sourceCode json"><span id="cb7-1"><a href="#cb7-1" aria-hidden="true" tabindex="-1"></a><span class="er">"custom":</span> <span class="fu">{</span></span>
<span id="cb7-2"><a href="#cb7-2" aria-hidden="true" tabindex="-1"></a> <span class="dt">"zones"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb7-3"><a href="#cb7-3" aria-hidden="true" tabindex="-1"></a> <span class="dt">"custom_zone"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb7-4"><a href="#cb7-4" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb7-5"><a href="#cb7-5" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb7-6"><a href="#cb7-6" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb7-7"><a href="#cb7-7" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb7-8"><a href="#cb7-8" aria-hidden="true" tabindex="-1"></a> <span class="dt">"services"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb7-9"><a href="#cb7-9" aria-hidden="true" tabindex="-1"></a> <span class="dt">"custom_service"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb7-10"><a href="#cb7-10" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb7-11"><a href="#cb7-11" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb7-12"><a href="#cb7-12" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb7-13"><a href="#cb7-13" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb7-14"><a href="#cb7-14" aria-hidden="true" tabindex="-1"></a> <span class="dt">"icmptypes"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb7-15"><a href="#cb7-15" aria-hidden="true" tabindex="-1"></a> <span class="dt">"custom"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb7-16"><a href="#cb7-16" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb7-17"><a href="#cb7-17" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb7-18"><a href="#cb7-18" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb7-19"><a href="#cb7-19" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb7-20"><a href="#cb7-20" aria-hidden="true" tabindex="-1"></a> <span class="dt">"helpers"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb7-21"><a href="#cb7-21" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb7-22"><a href="#cb7-22" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb7-23"><a href="#cb7-23" aria-hidden="true" tabindex="-1"></a> <span class="dt">"ipsets"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb7-24"><a href="#cb7-24" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb7-25"><a href="#cb7-25" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb7-26"><a href="#cb7-26" aria-hidden="true" tabindex="-1"></a> <span class="dt">"policies"</span><span class="fu">:</span> <span class="fu">{</span></span>
<span id="cb7-27"><a href="#cb7-27" aria-hidden="true" tabindex="-1"></a> <span class="er">...</span></span>
<span id="cb7-28"><a href="#cb7-28" aria-hidden="true" tabindex="-1"></a> <span class="fu">},</span></span>
<span id="cb7-29"><a href="#cb7-29" aria-hidden="true" tabindex="-1"></a><span class="fu">}</span></span></code></pre></div>
<h1 id="variables">Variables</h1>
<h2
id="firewall_disable_conflicting_services">firewall_disable_conflicting_services</h2>
<p>By default, the firewall role does not attempt to disable conflicting
services due to the overhead associated with enumerating the services
when disabling services is potentially unecessary. To enable this
feature, set the variable
<code>firewall_disable_conflicting_services</code> to
<code>true</code>:</p>
<div class="sourceCode" id="cb8"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb8-1"><a href="#cb8-1" aria-hidden="true" tabindex="-1"></a><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> Enable firewalld, disable conflicting services</span></span>
<span id="cb8-2"><a href="#cb8-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">include_role</span><span class="kw">:</span><span class="at"> linux-system-roles.firewall</span></span>
<span id="cb8-3"><a href="#cb8-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">vars</span><span class="kw">:</span></span>
<span id="cb8-4"><a href="#cb8-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">firewall_disable_conflicting_services</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p>List of known conflicting services:</p>
<ul>
<li>iptables</li>
<li>nftables</li>
<li>ufw</li>
</ul>
<p>Please submit a GitHub issue at the linux-system-roles/firewall there
are services missing or add it locally to
<code>vars/main.yml</code>.</p>
<!-- markdownlint-disable-next-line no-duplicate-header -->
<h2 id="firewall-1">firewall</h2>
<p>The firewall role uses the variable <code>firewall</code> to specify
the parameters. This variable is a <code>list</code> of
<code>dict</code> values. Each <code>dict</code> value is comprised of
one or more keys listed below. These are the variables that can be
passed to the role:</p>
<h3 id="firewalld_conf">firewalld_conf</h3>
<p><code>firewalld_conf</code> can be used to modify directives in
firewalld's configuration file (<code>/etc/firewalld/conf</code> by
default) if support for their modification has been implemented.</p>
<p><strong><code>permanent: true</code> must always be set to run this
option without error</strong></p>
<div class="sourceCode" id="cb9"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb9-1"><a href="#cb9-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb9-2"><a href="#cb9-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">firewalld_conf</span><span class="kw">:</span></span>
<span id="cb9-3"><a href="#cb9-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">allow_zone_drifting</span><span class="kw">:</span><span class="at"> </span><span class="ch">false</span></span>
<span id="cb9-4"><a href="#cb9-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<h3 id="supported-directives">Supported Directives</h3>
<h4 id="allow_zone_drifting">allow_zone_drifting</h4>
<p>Changes the AllowZoneDrifting directive.</p>
<p>This parameter will do nothing if AllowZoneDrifting has been
deprecated and no longer exists.</p>
<div class="sourceCode" id="cb10"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb10-1"><a href="#cb10-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb10-2"><a href="#cb10-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">firewalld_conf</span><span class="kw">:</span></span>
<span id="cb10-3"><a href="#cb10-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">allow_zone_drifting</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
<span id="cb10-4"><a href="#cb10-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<h2 id="set_default_zone">set_default_zone</h2>
<p>The default zone is the zone that is used for everything that is not
explicitly bound/assigned to another zone.</p>
<p>That means that if there is no zone assigned to a connection,
interface or source, only the default zone is used. The zone should
exist before setting it as the default zone.</p>
<div class="sourceCode" id="cb11"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb11-1"><a href="#cb11-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb11-2"><a href="#cb11-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">zone</span><span class="kw">:</span><span class="at"> mycustomzone</span><span class="co"> # ensure custom zone exists first</span></span>
<span id="cb11-3"><a href="#cb11-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> present</span></span>
<span id="cb11-4"><a href="#cb11-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">set_default_zone</span><span class="kw">:</span><span class="at"> mycustomzone</span><span class="co"> # set custom as default</span></span>
<span id="cb11-5"><a href="#cb11-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span></code></pre></div>
<h2 id="zone">zone</h2>
<p>Name of the zone that should be modified. If it is not set, the
default zone will be used. It will have an effect on these variables:
<code>service</code>, <code>port</code>, <code>source_port</code>,
<code>forward_port</code>, <code>masquerade</code>,
<code>rich_rule</code>, <code>source</code>, <code>interface</code>,
<code>icmp_block</code>, <code>icmp_block_inversion</code>, and
<code>target</code>.</p>
<p>You can also use this to add/remove user-created zones. Specify the
<code>zone</code> variable with no other variables, and use
<code>state: present</code> to add the zone, or
<code>state: absent</code> to remove it.</p>
<div class="sourceCode" id="cb12"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb12-1"><a href="#cb12-1" aria-hidden="true" tabindex="-1"></a><span class="fu">zone</span><span class="kw">:</span><span class="at"> public</span></span></code></pre></div>
<h2 id="service">service</h2>
<p>Name of a service or service list to add or remove inbound access
to.</p>
<div class="sourceCode" id="cb13"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb13-1"><a href="#cb13-1" aria-hidden="true" tabindex="-1"></a><span class="fu">service</span><span class="kw">:</span><span class="at"> ftp</span></span>
<span id="cb13-2"><a href="#cb13-2" aria-hidden="true" tabindex="-1"></a><span class="fu">service</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="at">ftp</span><span class="kw">,</span><span class="at">tftp</span><span class="kw">]</span></span></code></pre></div>
<p>If a specified service does not exist in firewalld, the module will
fail in diff mode, and when run in check mode will always report no
changes and warn the user of the potential for failure.</p>
<h3 id="user-defined-services">User-defined services</h3>
<p>You can use <code>service</code> with <code>state: present</code> to
add a service, along with any of the options <code>short</code>,
<code>description</code>, <code>port</code>, <code>source_port</code>,
<code>protocol</code>, <code>helper_module</code>, or
<code>destination</code> to initialize and add options to the service
e.g.</p>
<div class="sourceCode" id="cb14"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb14-1"><a href="#cb14-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb14-2"><a href="#cb14-2" aria-hidden="true" tabindex="-1"></a><span class="co"> # Adds custom service named customservice,</span></span>
<span id="cb14-3"><a href="#cb14-3" aria-hidden="true" tabindex="-1"></a><span class="co"> # defines the new services short to be "Custom Service",</span></span>
<span id="cb14-4"><a href="#cb14-4" aria-hidden="true" tabindex="-1"></a><span class="co"> # sets its description to "Custom service for example purposes,</span></span>
<span id="cb14-5"><a href="#cb14-5" aria-hidden="true" tabindex="-1"></a><span class="co"> # and adds the port 8080/tcp</span></span>
<span id="cb14-6"><a href="#cb14-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> customservice</span></span>
<span id="cb14-7"><a href="#cb14-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">short</span><span class="kw">:</span><span class="at"> Custom Service</span></span>
<span id="cb14-8"><a href="#cb14-8" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">description</span><span class="kw">:</span><span class="at"> Custom service for example purposes</span></span>
<span id="cb14-9"><a href="#cb14-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> 8080/tcp</span></span>
<span id="cb14-10"><a href="#cb14-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> present</span></span>
<span id="cb14-11"><a href="#cb14-11" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p>Existing services can be modified in the same way as you would create
a service. <code>short</code>, <code>description</code>, and
<code>destination</code> can be reassigned this way, while
<code>port</code>, <code>source port</code>, <code>protocol</code>, and
<code>helper_module</code> will add the specified options if they did
not exist previously without removing any previous elements. e.g.</p>
<div class="sourceCode" id="cb15"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb15-1"><a href="#cb15-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb15-2"><a href="#cb15-2" aria-hidden="true" tabindex="-1"></a><span class="co"> # changes ftp's description, and adds the port 9090/tcp if it was not previously present</span></span>
<span id="cb15-3"><a href="#cb15-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> ftp</span></span>
<span id="cb15-4"><a href="#cb15-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">description</span><span class="kw">:</span><span class="at"> I am modifying the builtin service ftp's description as an example</span></span>
<span id="cb15-5"><a href="#cb15-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> 9090/tcp</span></span>
<span id="cb15-6"><a href="#cb15-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> present</span></span>
<span id="cb15-7"><a href="#cb15-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p>You can remove a <code>service</code> or specific <code>port</code>,
<code>source_port</code>, <code>protocol</code>,
<code>helper_module</code> elements (or <code>destination</code>
attributes) by using <code>service</code> with
<code>state: absent</code> with any of the removable attributes listed.
e.g.</p>
<div class="sourceCode" id="cb16"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb16-1"><a href="#cb16-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb16-2"><a href="#cb16-2" aria-hidden="true" tabindex="-1"></a><span class="co"> # Removes the port 8080/tcp from customservice if it exists.</span></span>
<span id="cb16-3"><a href="#cb16-3" aria-hidden="true" tabindex="-1"></a><span class="co"> # DOES NOT REMOVE CUSTOM SERVICE</span></span>
<span id="cb16-4"><a href="#cb16-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> customservice</span></span>
<span id="cb16-5"><a href="#cb16-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> 8080/tcp</span></span>
<span id="cb16-6"><a href="#cb16-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> absent</span></span>
<span id="cb16-7"><a href="#cb16-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
<span id="cb16-8"><a href="#cb16-8" aria-hidden="true" tabindex="-1"></a><span class="co"> # Removes the service named customservice if it exists</span></span>
<span id="cb16-9"><a href="#cb16-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> customservice</span></span>
<span id="cb16-10"><a href="#cb16-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> absent</span></span>
<span id="cb16-11"><a href="#cb16-11" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p>NOTE: <code>permanent: true</code> needs to be specified in order to
define, modify, or remove a service. This is so anyone using
<code>service</code> with <code>state: present/absent</code>
acknowledges that this will affect permanent firewall configuration.
Additionally, defining services for runtime configuration is not
supported by firewalld</p>
<p>For more information about custom services, see <a
href="https://firewalld.org/documentation/man-pages/firewalld.service.html">https://firewalld.org/documentation/man-pages/firewalld.service.html</a></p>
<h2 id="ipset">ipset</h2>
<p>Name of the ipset being created, modified, or removed. Use
<code>source</code> to add and remove ipsets from a zone</p>
<p>When creating an ipset, you must also specify
<code>ipset_type</code>, and optionally <code>short</code>,
<code>description</code>, <code>ipset_entries</code></p>
<p>Defining an ipset with all optional fields:</p>
<div class="sourceCode" id="cb17"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb17-1"><a href="#cb17-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb17-2"><a href="#cb17-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">ipset</span><span class="kw">:</span><span class="at"> customipset</span></span>
<span id="cb17-3"><a href="#cb17-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">ipset_type</span><span class="kw">:</span><span class="at"> </span><span class="st">"hash:ip"</span></span>
<span id="cb17-4"><a href="#cb17-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">short</span><span class="kw">:</span><span class="at"> Custom IPSet</span></span>
<span id="cb17-5"><a href="#cb17-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">description</span><span class="kw">:</span><span class="at"> set of ip addresses specified in entries</span></span>
<span id="cb17-6"><a href="#cb17-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">ipset_entries</span><span class="kw">:</span></span>
<span id="cb17-7"><a href="#cb17-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fl">1.1.1.1</span></span>
<span id="cb17-8"><a href="#cb17-8" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fl">2.2.2.2</span></span>
<span id="cb17-9"><a href="#cb17-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fl">3.3.3.3</span></span>
<span id="cb17-10"><a href="#cb17-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fl">8.8.8.8</span></span>
<span id="cb17-11"><a href="#cb17-11" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fl">127.0.0.1</span></span>
<span id="cb17-12"><a href="#cb17-12" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> present</span></span>
<span id="cb17-13"><a href="#cb17-13" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p>Adding an entry to an existing ipset</p>
<div class="sourceCode" id="cb18"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb18-1"><a href="#cb18-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb18-2"><a href="#cb18-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">ipset</span><span class="kw">:</span><span class="at"> customipset</span></span>
<span id="cb18-3"><a href="#cb18-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">ipset_entries</span><span class="kw">:</span></span>
<span id="cb18-4"><a href="#cb18-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fl">127.0.0.2</span></span>
<span id="cb18-5"><a href="#cb18-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> present</span></span>
<span id="cb18-6"><a href="#cb18-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p>Changing the short and description of an ipset</p>
<div class="sourceCode" id="cb19"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb19-1"><a href="#cb19-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb19-2"><a href="#cb19-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">ipset</span><span class="kw">:</span><span class="at"> customipset</span></span>
<span id="cb19-3"><a href="#cb19-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">short</span><span class="kw">:</span><span class="at"> Custom</span></span>
<span id="cb19-4"><a href="#cb19-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">description</span><span class="kw">:</span><span class="at"> Set of IPv4 addresses</span></span>
<span id="cb19-5"><a href="#cb19-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> present</span></span>
<span id="cb19-6"><a href="#cb19-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p>Removing entries from an ipset</p>
<div class="sourceCode" id="cb20"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb20-1"><a href="#cb20-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb20-2"><a href="#cb20-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">ipset</span><span class="kw">:</span><span class="at"> customipset</span></span>
<span id="cb20-3"><a href="#cb20-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">ipset_entries</span><span class="kw">:</span></span>
<span id="cb20-4"><a href="#cb20-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fl">127.0.0.1</span></span>
<span id="cb20-5"><a href="#cb20-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fl">127.0.0.2</span></span>
<span id="cb20-6"><a href="#cb20-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> absent</span></span>
<span id="cb20-7"><a href="#cb20-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p>Removing an ipset</p>
<div class="sourceCode" id="cb21"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb21-1"><a href="#cb21-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb21-2"><a href="#cb21-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">ipset</span><span class="kw">:</span><span class="at"> customipset</span></span>
<span id="cb21-3"><a href="#cb21-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> absent</span></span>
<span id="cb21-4"><a href="#cb21-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<h2 id="port">port</h2>
<p>Port or port range or a list of them to add or remove inbound access
to. It needs to be in the format
<code><port>[-<port>]/<protocol></code>.</p>
<div class="sourceCode" id="cb22"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb22-1"><a href="#cb22-1" aria-hidden="true" tabindex="-1"></a><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="st">'443/tcp'</span></span>
<span id="cb22-2"><a href="#cb22-2" aria-hidden="true" tabindex="-1"></a><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">'443/tcp'</span><span class="kw">,</span><span class="st">'443/udp'</span><span class="kw">]</span></span></code></pre></div>
<h2 id="ipset_type">ipset_type</h2>
<p>Type of ipset being defined. Used with <code>ipset</code>.</p>
<p>For a list of available ipset types, run
<code>firewall-cmd --get-ipset-types</code>, there is no method to get
supported types from this role.</p>
<div class="sourceCode" id="cb23"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb23-1"><a href="#cb23-1" aria-hidden="true" tabindex="-1"></a><span class="fu">ipset</span><span class="kw">:</span><span class="at"> customipset</span></span>
<span id="cb23-2"><a href="#cb23-2" aria-hidden="true" tabindex="-1"></a><span class="fu">ipset_type</span><span class="kw">:</span><span class="at"> hash:mac</span></span></code></pre></div>
<p>See <code>ipset</code> for more usage information</p>
<h2 id="ipset_entries">ipset_entries</h2>
<p>List of addresses to add or remove from an ipset Used with
<code>ipset</code></p>
<p>Entrys must be compatible with the ipset type of the
<code>ipset</code> being created or modified.</p>
<div class="sourceCode" id="cb24"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb24-1"><a href="#cb24-1" aria-hidden="true" tabindex="-1"></a><span class="fu">ipset</span><span class="kw">:</span><span class="at"> customipset</span></span>
<span id="cb24-2"><a href="#cb24-2" aria-hidden="true" tabindex="-1"></a><span class="fu">ipset_entries</span><span class="kw">:</span></span>
<span id="cb24-3"><a href="#cb24-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fl">127.0.0.1</span></span></code></pre></div>
<p>See <code>ipset</code> for more usage information</p>
<h2 id="source_port">source_port</h2>
<p>Port or port range or a list of them to add or remove source port
access to. It needs to be in the format
<code><port>[-<port>]/<protocol></code>.</p>
<div class="sourceCode" id="cb25"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb25-1"><a href="#cb25-1" aria-hidden="true" tabindex="-1"></a><span class="fu">source_port</span><span class="kw">:</span><span class="at"> </span><span class="st">'443/tcp'</span></span>
<span id="cb25-2"><a href="#cb25-2" aria-hidden="true" tabindex="-1"></a><span class="fu">source_port</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">'443/tcp'</span><span class="kw">,</span><span class="st">'443/udp'</span><span class="kw">]</span></span></code></pre></div>
<h2 id="forward_port">forward_port</h2>
<p>Add or remove port forwarding for ports or port ranges for a zone. It
takes two different formats:</p>
<ul>
<li>string or a list of strings in the format like
<code>firewall-cmd --add-forward-port</code> e.g.
<code><port>[-<port>]/<protocol>;[<to-port>];[<to-addr>]</code></li>
<li>dict or list of dicts in the format like
<code>ansible.posix.firewalld</code>:</li>
</ul>
<div class="sourceCode" id="cb26"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb26-1"><a href="#cb26-1" aria-hidden="true" tabindex="-1"></a><span class="fu">forward_port</span><span class="kw">:</span></span>
<span id="cb26-2"><a href="#cb26-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> <port></span></span>
<span id="cb26-3"><a href="#cb26-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">proto</span><span class="kw">:</span><span class="at"> <protocol></span></span>
<span id="cb26-4"><a href="#cb26-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">[</span><span class="fu">toport</span><span class="kw">:</span><span class="at"> <to-port></span><span class="kw">]</span></span>
<span id="cb26-5"><a href="#cb26-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">[</span><span class="fu">toaddr</span><span class="kw">:</span><span class="at"> <to-addr></span><span class="kw">]</span></span></code></pre></div>
<p>examples</p>
<div class="sourceCode" id="cb27"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb27-1"><a href="#cb27-1" aria-hidden="true" tabindex="-1"></a><span class="fu">forward_port</span><span class="kw">:</span><span class="at"> </span><span class="st">'447/tcp;;1.2.3.4'</span></span>
<span id="cb27-2"><a href="#cb27-2" aria-hidden="true" tabindex="-1"></a><span class="fu">forward_port</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">'447/tcp;;1.2.3.4'</span><span class="kw">,</span><span class="st">'448/tcp;;1.2.3.5'</span><span class="kw">]</span></span>
<span id="cb27-3"><a href="#cb27-3" aria-hidden="true" tabindex="-1"></a><span class="fu">forward_port</span><span class="kw">:</span></span>
<span id="cb27-4"><a href="#cb27-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> 447/tcp;;1.2.3.4</span></span>
<span id="cb27-5"><a href="#cb27-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> 448/tcp;;1.2.3.5</span></span>
<span id="cb27-6"><a href="#cb27-6" aria-hidden="true" tabindex="-1"></a><span class="fu">forward_port</span><span class="kw">:</span></span>
<span id="cb27-7"><a href="#cb27-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="dv">447</span></span>
<span id="cb27-8"><a href="#cb27-8" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">proto</span><span class="kw">:</span><span class="at"> tcp</span></span>
<span id="cb27-9"><a href="#cb27-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">toaddr</span><span class="kw">:</span><span class="at"> </span><span class="fl">1.2.3.4</span></span>
<span id="cb27-10"><a href="#cb27-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="dv">448</span></span>
<span id="cb27-11"><a href="#cb27-11" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">proto</span><span class="kw">:</span><span class="at"> tcp</span></span>
<span id="cb27-12"><a href="#cb27-12" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">toaddr</span><span class="kw">:</span><span class="at"> </span><span class="fl">1.2.3.5</span></span></code></pre></div>
<p><code>port_forward</code> is an alias for <code>forward_port</code>.
Its use is deprecated and will be removed in an upcoming release.</p>
<h2 id="masquerade">masquerade</h2>
<p>Enable or disable masquerade on the given zone.</p>
<div class="sourceCode" id="cb28"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb28-1"><a href="#cb28-1" aria-hidden="true" tabindex="-1"></a><span class="fu">masquerade</span><span class="kw">:</span><span class="at"> </span><span class="ch">false</span></span></code></pre></div>
<h2 id="rich_rule">rich_rule</h2>
<p>String or list of rich rule strings. For the format see (Syntax for
firewalld rich language rules)[<a
href="https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html]">https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html]</a></p>
<div class="sourceCode" id="cb29"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb29-1"><a href="#cb29-1" aria-hidden="true" tabindex="-1"></a><span class="fu">rich_rule</span><span class="kw">:</span><span class="at"> rule service name="ftp" audit limit value="1/m" accept</span></span></code></pre></div>
<h2 id="source">source</h2>
<p>List of source address address range strings, or ipsets. A source
address or address range is either an IP address or a network IP address
with a mask for IPv4 or IPv6. For IPv4, the mask can be a network mask
or a plain number. For IPv6 the mask is a plain number.</p>
<div class="sourceCode" id="cb30"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb30-1"><a href="#cb30-1" aria-hidden="true" tabindex="-1"></a><span class="fu">source</span><span class="kw">:</span><span class="at"> 192.0.2.0/24</span></span></code></pre></div>
<p>Ipsets are used with this option by prefixing "ipset:" to the name of
the ipset</p>
<div class="sourceCode" id="cb31"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb31-1"><a href="#cb31-1" aria-hidden="true" tabindex="-1"></a><span class="fu">source</span><span class="kw">:</span><span class="at"> ipset:ipsetname</span></span></code></pre></div>
<h2 id="interface">interface</h2>
<p>String or list of interface name strings.</p>
<div class="sourceCode" id="cb32"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb32-1"><a href="#cb32-1" aria-hidden="true" tabindex="-1"></a><span class="fu">interface</span><span class="kw">:</span><span class="at"> eth2</span></span></code></pre></div>
<p>This role handles interface arguments similar to how firewalld's cli,
<code>firewall-cmd</code> does, i.e. manages the interface through
NetworkManager if possible, and handles the interface binding purely
through firewalld otherwise.</p>
<p><strong>WARNING</strong>: Neither firewalld nor this role throw any
errors if the interface name specified is not tied to any existing
network interface. This can cause confusion when attempting to add an
interface via PCI device ID, for which you should use the parameter
<code>interface_pci_id</code> instead of the <code>interface</code>
parameter.</p>
<p>Allow interface named '8086:15d7' in dmz zone</p>
<p>firewall:</p>
<ul>
<li>zone: dmz interface: 8086:15d7 state: enabled</li>
</ul>
<p>The above will successfully add a nftables/iptables rule for an
interface named <code>8086:15d7</code>, but no traffic should/will ever
match to an interface with this name.</p>
<p>TLDR - When using this parameter, please stick only to using logical
interface names that you know exist on the device to avoid confusing
behavior.</p>
<h2 id="interface_pci_id">interface_pci_id</h2>
<p>String or list of interface PCI device IDs. Accepts PCI IDs if the
wildcard <code>XXXX:YYYY</code> applies where:</p>
<ul>
<li>XXXX: Hexadecimal, corresponds to Vendor ID</li>
<li>YYYY: Hexadecimal, corresponds to Device ID</li>
</ul>
<div class="sourceCode" id="cb33"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb33-1"><a href="#cb33-1" aria-hidden="true" tabindex="-1"></a><span class="co"># PCI id for Intel Corporation Ethernet Connection</span></span>
<span id="cb33-2"><a href="#cb33-2" aria-hidden="true" tabindex="-1"></a><span class="fu">interface_pci_id</span><span class="kw">:</span><span class="at"> 8086:15d7</span></span></code></pre></div>
<p>Only accepts PCI devices IDs that correspond to a named network
interface, and converts all PCI device IDs to their respective logical
interface names.</p>
<p>If a PCI id corresponds to more than one logical interface name, all
interfaces with the PCI id specified will have the play applied.</p>
<p>A list of PCI devices with their IDs can be retrieved using
<code>lcpci -nn</code>. For more information on PCI device IDs, see the
linux man page at: <a
href="https://man7.org/linux/man-pages/man5/pci.ids.5.html">https://man7.org/linux/man-pages/man5/pci.ids.5.html</a></p>
<h2 id="icmp_block">icmp_block</h2>
<p>String or list of ICMP type strings to block. The ICMP type names
needs to be defined in firewalld configuration.</p>
<div class="sourceCode" id="cb34"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb34-1"><a href="#cb34-1" aria-hidden="true" tabindex="-1"></a><span class="fu">icmp_block</span><span class="kw">:</span><span class="at"> echo-request</span></span></code></pre></div>
<h2 id="icmp_block_inversion">icmp_block_inversion</h2>
<p>ICMP block inversion bool setting. It enables or disables inversion
of ICMP blocks for a zone in firewalld.</p>
<div class="sourceCode" id="cb35"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb35-1"><a href="#cb35-1" aria-hidden="true" tabindex="-1"></a><span class="fu">icmp_block_inversion</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<h2 id="target">target</h2>
<p>The firewalld zone target. If the state is set to
<code>absent</code>,this will reset the target to default. Valid values
are "default", "ACCEPT", "DROP", "%%REJECT%%".</p>
<div class="sourceCode" id="cb36"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb36-1"><a href="#cb36-1" aria-hidden="true" tabindex="-1"></a><span class="fu">target</span><span class="kw">:</span><span class="at"> ACCEPT</span></span></code></pre></div>
<h2 id="short">short</h2>
<p>Short description, only usable when defining or modifying a service
or ipset. See <code>service</code> or <code>ipset</code> for more usage
information.</p>
<div class="sourceCode" id="cb37"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb37-1"><a href="#cb37-1" aria-hidden="true" tabindex="-1"></a><span class="fu">short</span><span class="kw">:</span><span class="at"> Short Description</span></span></code></pre></div>
<h2 id="description">description</h2>
<p>Description for a service, only usable when adding a new service or
modifying an existing service. See <code>service</code> or
<code>ipset</code> for more information</p>
<div class="sourceCode" id="cb38"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb38-1"><a href="#cb38-1" aria-hidden="true" tabindex="-1"></a><span class="fu">description</span><span class="kw">:</span><span class="at"> Your description goes here</span></span></code></pre></div>
<h2 id="destination">destination</h2>
<p>list of destination addresses, option only implemented for
user-defined services. Takes 0-2 addresses, allowing for one IPv4
address and one IPv6 address or address range.</p>
<ul>
<li>IPv4 format: <code>x.x.x.x[/mask]</code></li>
<li>IPv6 format: <code>x:x:x:x:x:x:x:x[/mask]</code> (<code>x::x</code>
works when abbreviating one or more subsequent IPv6 segments where x =
0)</li>
</ul>
<div class="sourceCode" id="cb39"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb39-1"><a href="#cb39-1" aria-hidden="true" tabindex="-1"></a><span class="fu">destination</span><span class="kw">:</span></span>
<span id="cb39-2"><a href="#cb39-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> 1.1.1.0/24</span></span>
<span id="cb39-3"><a href="#cb39-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> AAAA::AAAA:AAAA</span></span></code></pre></div>
<h2 id="helper_module">helper_module</h2>
<p>Name of a connection tracking helper supported by firewalld.</p>
<div class="sourceCode" id="cb40"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb40-1"><a href="#cb40-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Both properly specify nf_conntrack_ftp</span></span>
<span id="cb40-2"><a href="#cb40-2" aria-hidden="true" tabindex="-1"></a><span class="fu">helper_module</span><span class="kw">:</span><span class="at"> ftp</span></span>
<span id="cb40-3"><a href="#cb40-3" aria-hidden="true" tabindex="-1"></a><span class="fu">helper_module</span><span class="kw">:</span><span class="at"> nf_conntrack_ftp</span></span></code></pre></div>
<h2 id="timeout">timeout</h2>
<p>The amount of time in seconds a setting is in effect. The timeout is
usable if</p>
<ul>
<li>state is set to <code>enabled</code></li>
<li>firewalld is running and <code>runtime</code> is set</li>
<li>setting is used with services, ports, source ports, forward ports,
masquerade, rich rules or icmp blocks</li>
</ul>
<div class="sourceCode" id="cb41"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb41-1"><a href="#cb41-1" aria-hidden="true" tabindex="-1"></a><span class="fu">timeout</span><span class="kw">:</span><span class="at"> </span><span class="dv">60</span></span>
<span id="cb41-2"><a href="#cb41-2" aria-hidden="true" tabindex="-1"></a><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span>
<span id="cb41-3"><a href="#cb41-3" aria-hidden="true" tabindex="-1"></a><span class="fu">service</span><span class="kw">:</span><span class="at"> https</span></span></code></pre></div>
<h2 id="state">state</h2>
<p>Enable or disable the entry.</p>
<div class="sourceCode" id="cb42"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb42-1"><a href="#cb42-1" aria-hidden="true" tabindex="-1"></a><span class="fu">state</span><span class="kw">:</span><span class="at"> </span><span class="st">'enabled'</span><span class="at"> </span><span class="er">|</span><span class="at"> </span><span class="er">'disabled'</span><span class="at"> </span><span class="er">|</span><span class="at"> </span><span class="er">'present'</span><span class="at"> </span><span class="er">|</span><span class="at"> </span><span class="er">'absent'</span></span></code></pre></div>
<p>NOTE: <code>present</code> and <code>absent</code> are only used for
<code>zone</code>, <code>target</code>, and <code>service</code>
operations, and cannot be used for any other operation.</p>
<p>NOTE: <code>zone</code> - use <code>state: present</code> to add a
zone, and <code>state: absent</code> to remove a zone, when zone is the
only variable e.g.</p>
<div class="sourceCode" id="cb43"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb43-1"><a href="#cb43-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb43-2"><a href="#cb43-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">zone</span><span class="kw">:</span><span class="at"> my-new-zone</span></span>
<span id="cb43-3"><a href="#cb43-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> present</span></span></code></pre></div>
<p>NOTE: <code>target</code> - you can also use
<code>state: present</code> to add a target - <code>state: absent</code>
will reset the target to the default.</p>
<p>NOTE: <code>service</code> - to see how to manage services, see the
service section.</p>
<h2 id="runtime">runtime</h2>
<p>Enable changes in runtime configuration. If <code>runtime</code>
parameter is not provided, the default will be set to
<code>True</code>.</p>
<div class="sourceCode" id="cb44"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb44-1"><a href="#cb44-1" aria-hidden="true" tabindex="-1"></a><span class="fu">runtime</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<h2 id="permanent">permanent</h2>
<p>Enable changes in permanent configuration. If <code>permanent</code>
parameter is not provided, the default will be set to
<code>True</code>.</p>
<div class="sourceCode" id="cb45"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb45-1"><a href="#cb45-1" aria-hidden="true" tabindex="-1"></a><span class="fu">permanent</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<p>The permanent and runtime settings are independent, so you can set
only the runtime, or only the permanent. You cannot set both permanent
and runtime to <code>false</code>.</p>
<h2 id="previous">previous</h2>
<p>If you want to completely wipe out all existing firewall
configuration, add <code>previous: replaced</code> to the
<code>firewall</code> list. This will cause all existing configuration
to be removed and replaced with your given configuration. This is useful
if you have existing machines that may have existing firewall
configuration, and you want to make all of the firewall configuration
the same across all of the machines.</p>
<p><em>WARNING</em>: When using this option, there's a small time window
when firewall is being reset and all new connections to the system are
rejected. Existing connections will be unaffected. Applying changes with
this option in production might cause temporary service failures with
new connections during the operation.</p>
<h2
id="firewall_transactional_update_reboot_ok">firewall_transactional_update_reboot_ok</h2>
<p>This variable is used to handle reboots required by transactional
updates. If a transactional update requires a reboot, the role will
proceed with the reboot if firewall_transactional_update_reboot_ok is
set to true. If set to false, the role will notify the user that a
reboot is required, allowing for custom handling of the reboot
requirement. If this variable is not set, the role will fail to ensure
the reboot requirement is not overlooked.</p>
<div class="sourceCode" id="cb46"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb46-1"><a href="#cb46-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall_transactional_update_reboot_ok</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span></code></pre></div>
<h1 id="examples-of-options">Examples of Options</h1>
<p>By default, any changes will be applied immediately, and to the
permanent settings. If you want the changes to apply immediately but not
permanently, use <code>permanent: false</code>. Conversely, use
<code>runtime: false</code>.</p>
<p>Permit TCP traffic for port 80 in default zone, in addition to any
existing configuration:</p>
<div class="sourceCode" id="cb47"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb47-1"><a href="#cb47-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb47-2"><a href="#cb47-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> 80/tcp</span></span>
<span id="cb47-3"><a href="#cb47-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span></code></pre></div>
<p>Remove all existing firewall configuration, and permit TCP traffic
for port 80 in default zone:</p>
<div class="sourceCode" id="cb48"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb48-1"><a href="#cb48-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb48-2"><a href="#cb48-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">previous</span><span class="kw">:</span><span class="at"> replaced</span></span>
<span id="cb48-3"><a href="#cb48-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> 80/tcp</span></span>
<span id="cb48-4"><a href="#cb48-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span></code></pre></div>
<p>Do not permit TCP traffic for port 80 in default zone:</p>
<div class="sourceCode" id="cb49"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb49-1"><a href="#cb49-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb49-2"><a href="#cb49-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> 80/tcp</span></span>
<span id="cb49-3"><a href="#cb49-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> disabled</span></span></code></pre></div>
<p>Add masquerading to dmz zone:</p>
<div class="sourceCode" id="cb50"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb50-1"><a href="#cb50-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb50-2"><a href="#cb50-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">masquerade</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
<span id="cb50-3"><a href="#cb50-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">zone</span><span class="kw">:</span><span class="at"> dmz</span></span>
<span id="cb50-4"><a href="#cb50-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span></code></pre></div>
<p>Remove masquerading to dmz zone:</p>
<div class="sourceCode" id="cb51"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb51-1"><a href="#cb51-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb51-2"><a href="#cb51-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">masquerade</span><span class="kw">:</span><span class="at"> </span><span class="ch">false</span></span>
<span id="cb51-3"><a href="#cb51-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">zone</span><span class="kw">:</span><span class="at"> dmz</span></span>
<span id="cb51-4"><a href="#cb51-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span></code></pre></div>
<p>Allow interface eth2 in trusted zone:</p>
<div class="sourceCode" id="cb52"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb52-1"><a href="#cb52-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb52-2"><a href="#cb52-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">interface</span><span class="kw">:</span><span class="at"> eth2</span></span>
<span id="cb52-3"><a href="#cb52-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">zone</span><span class="kw">:</span><span class="at"> trusted</span></span>
<span id="cb52-4"><a href="#cb52-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span></code></pre></div>
<p>Don't allow interface eth2 in trusted zone:</p>
<div class="sourceCode" id="cb53"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb53-1"><a href="#cb53-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb53-2"><a href="#cb53-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">interface</span><span class="kw">:</span><span class="at"> eth2</span></span>
<span id="cb53-3"><a href="#cb53-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">zone</span><span class="kw">:</span><span class="at"> trusted</span></span>
<span id="cb53-4"><a href="#cb53-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> disabled</span></span></code></pre></div>
<p>Permit traffic in default zone for https service:</p>
<div class="sourceCode" id="cb54"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb54-1"><a href="#cb54-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb54-2"><a href="#cb54-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> https</span></span>
<span id="cb54-3"><a href="#cb54-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span></code></pre></div>
<p>Do not permit traffic in default zone for https service:</p>
<div class="sourceCode" id="cb55"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb55-1"><a href="#cb55-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb55-2"><a href="#cb55-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> https</span></span>
<span id="cb55-3"><a href="#cb55-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> disabled</span></span></code></pre></div>
<p>Allow interface with PCI device ID '8086:15d7' in dmz zone</p>
<div class="sourceCode" id="cb56"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb56-1"><a href="#cb56-1" aria-hidden="true" tabindex="-1"></a><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb56-2"><a href="#cb56-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">zone</span><span class="kw">:</span><span class="at"> dmz</span></span>
<span id="cb56-3"><a href="#cb56-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">interface_pci_id</span><span class="kw">:</span><span class="at"> 8086:15d7</span></span>
<span id="cb56-4"><a href="#cb56-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span></code></pre></div>
<h1 id="example-playbooks">Example Playbooks</h1>
<p>Erase all existing configuration, and enable ssh service:</p>
<div class="sourceCode" id="cb57"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb57-1"><a href="#cb57-1" aria-hidden="true" tabindex="-1"></a><span class="pp">---</span></span>
<span id="cb57-2"><a href="#cb57-2" aria-hidden="true" tabindex="-1"></a><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> Erase existing config and enable ssh service</span></span>
<span id="cb57-3"><a href="#cb57-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">hosts</span><span class="kw">:</span><span class="at"> myhost</span></span>
<span id="cb57-4"><a href="#cb57-4" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb57-5"><a href="#cb57-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">vars</span><span class="kw">:</span></span>
<span id="cb57-6"><a href="#cb57-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb57-7"><a href="#cb57-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">previous</span><span class="kw">:</span><span class="at"> replaced</span></span>
<span id="cb57-8"><a href="#cb57-8" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> ssh</span></span>
<span id="cb57-9"><a href="#cb57-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span></span>
<span id="cb57-10"><a href="#cb57-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">roles</span><span class="kw">:</span></span>
<span id="cb57-11"><a href="#cb57-11" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> linux-system-roles.firewall</span></span></code></pre></div>
<p>With this playbook you can make sure that the tftp service is
disabled in the firewall:</p>
<div class="sourceCode" id="cb58"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb58-1"><a href="#cb58-1" aria-hidden="true" tabindex="-1"></a><span class="pp">---</span></span>
<span id="cb58-2"><a href="#cb58-2" aria-hidden="true" tabindex="-1"></a><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> Make sure tftp service is disabled</span></span>
<span id="cb58-3"><a href="#cb58-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">hosts</span><span class="kw">:</span><span class="at"> myhost</span></span>
<span id="cb58-4"><a href="#cb58-4" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb58-5"><a href="#cb58-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">vars</span><span class="kw">:</span></span>
<span id="cb58-6"><a href="#cb58-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb58-7"><a href="#cb58-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> tftp</span></span>
<span id="cb58-8"><a href="#cb58-8" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> disabled</span></span>
<span id="cb58-9"><a href="#cb58-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">roles</span><span class="kw">:</span></span>
<span id="cb58-10"><a href="#cb58-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> linux-system-roles.firewall</span></span></code></pre></div>
<p>It is also possible to combine several settings into blocks:</p>
<div class="sourceCode" id="cb59"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb59-1"><a href="#cb59-1" aria-hidden="true" tabindex="-1"></a><span class="pp">---</span></span>
<span id="cb59-2"><a href="#cb59-2" aria-hidden="true" tabindex="-1"></a><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> Configure firewall</span></span>
<span id="cb59-3"><a href="#cb59-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">hosts</span><span class="kw">:</span><span class="at"> myhost</span></span>
<span id="cb59-4"><a href="#cb59-4" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb59-5"><a href="#cb59-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">vars</span><span class="kw">:</span></span>
<span id="cb59-6"><a href="#cb59-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb59-7"><a href="#cb59-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="kw">{</span><span class="fu">service</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="at">tftp</span><span class="kw">,</span><span class="at">ftp</span><span class="kw">],</span></span>
<span id="cb59-8"><a href="#cb59-8" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">'443/tcp'</span><span class="kw">,</span><span class="st">'443/udp'</span><span class="kw">],</span></span>
<span id="cb59-9"><a href="#cb59-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span><span class="kw">}</span></span>
<span id="cb59-10"><a href="#cb59-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="kw">{</span><span class="fu">forward_port</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="at">eth2;447/tcp;;</span><span class="fl">1.2.3.4</span><span class="kw">,</span></span>
<span id="cb59-11"><a href="#cb59-11" aria-hidden="true" tabindex="-1"></a><span class="at"> eth2;448/tcp;;</span><span class="fl">1.2.3.5</span><span class="kw">],</span></span>
<span id="cb59-12"><a href="#cb59-12" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span><span class="kw">}</span></span>
<span id="cb59-13"><a href="#cb59-13" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="kw">{</span><span class="fu">zone</span><span class="kw">:</span><span class="at"> internal</span><span class="kw">,</span><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> tftp</span><span class="kw">,</span><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span><span class="kw">}</span></span>
<span id="cb59-14"><a href="#cb59-14" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="kw">{</span><span class="fu">service</span><span class="kw">:</span><span class="at"> tftp</span><span class="kw">,</span><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span><span class="kw">}</span></span>
<span id="cb59-15"><a href="#cb59-15" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="kw">{</span><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="st">'443/tcp'</span><span class="kw">,</span><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span><span class="kw">}</span></span>
<span id="cb59-16"><a href="#cb59-16" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="kw">{</span><span class="fu">forward_port</span><span class="kw">:</span><span class="at"> </span><span class="st">'eth0;445/tcp;;1.2.3.4'</span><span class="kw">,</span><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span><span class="kw">}</span></span>
<span id="cb59-17"><a href="#cb59-17" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">roles</span><span class="kw">:</span></span>
<span id="cb59-18"><a href="#cb59-18" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> linux-system-roles.firewall</span></span></code></pre></div>
<p>The block with several services, ports, etc. will be applied at once.
If there is something wrong in the block it will fail as a whole.</p>
<div class="sourceCode" id="cb60"><pre
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb60-1"><a href="#cb60-1" aria-hidden="true" tabindex="-1"></a><span class="pp">---</span></span>
<span id="cb60-2"><a href="#cb60-2" aria-hidden="true" tabindex="-1"></a><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> Configure external zone in firewall</span></span>
<span id="cb60-3"><a href="#cb60-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">hosts</span><span class="kw">:</span><span class="at"> myhost</span></span>
<span id="cb60-4"><a href="#cb60-4" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb60-5"><a href="#cb60-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">vars</span><span class="kw">:</span></span>
<span id="cb60-6"><a href="#cb60-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">firewall</span><span class="kw">:</span></span>
<span id="cb60-7"><a href="#cb60-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="kw">{</span><span class="fu">zone</span><span class="kw">:</span><span class="at"> external</span><span class="kw">,</span></span>
<span id="cb60-8"><a href="#cb60-8" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">service</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="at">tftp</span><span class="kw">,</span><span class="at">ftp</span><span class="kw">],</span></span>
<span id="cb60-9"><a href="#cb60-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">'443/tcp'</span><span class="kw">,</span><span class="st">'443/udp'</span><span class="kw">],</span></span>
<span id="cb60-10"><a href="#cb60-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">forward_port</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">'447/tcp;;1.2.3.4'</span><span class="kw">,</span></span>
<span id="cb60-11"><a href="#cb60-11" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="st">'448/tcp;;1.2.3.5'</span><span class="kw">],</span></span>
<span id="cb60-12"><a href="#cb60-12" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">state</span><span class="kw">:</span><span class="at"> enabled</span><span class="kw">}</span></span>
<span id="cb60-13"><a href="#cb60-13" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">roles</span><span class="kw">:</span></span>
<span id="cb60-14"><a href="#cb60-14" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> linux-system-roles.firewall</span></span></code></pre></div>
<h1 id="rpm-ostree">rpm-ostree</h1>
<p>See README-ostree.md</p>
<h1 id="authors">Authors</h1>
<p>Thomas Woerner</p>
<h1 id="license">License</h1>
<p>GPLv2+</p>
</article>
</body>
</html>