ansible firewalld模塊詳解

概述

This module allows for addition or deletion of services and ports (either TCP or UDP) in either running or permanent firewalld rules.
firewalld模塊用來添加、刪除防火牆規則。

常用變量

service ： Name of a service to add/remove to/from firewalld.The service must be listed in output of firewall-cmd --get-services.
指定放行的服務，此服務必須要在firewall-cmd --get-services查詢的到。

permanent ： Should this configuration be in the running firewalld configuration or persist across reboots. As of Ansible 2.3, permanent operations can operate on firewalld configs when it is not running.
Note that if this is no', immediate is assumedyes’.
保存策略，下次啓動的時候自動加載。

state : Enable or disable a setting.For ports: Should this port accept (enabled) or reject (disabled) connections.The states present' andabsent’ can only be used in zone level operations (i.e. when no other parameters but zone and state are set).
(Choices: absent, disabled, enabled, present)
指定防火牆策略狀態，enable表示策略生效，disable表示策略禁用，present新建策略，absent刪除策略。

port : Name of a port or port range to add/remove to/from firewalld. Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges.
指定放行的端口/協議。

zone ： The firewalld zone to add/remove to/from.
Note that the default zone can be configured per system but public' is default from upstream. Available choices can be extended based on per-system configs, listed here are "out of the box" defaults.Possible values includeblock’, dmz',drop’, external',home’, internal',public’, trusted',work’.
指定防火牆信任級別。
drop: 丟棄所有進入的包，而不給出任何響應
block: 拒絕所有外部發起的連接，允許內部發起的連接
public: 允許指定的進入連接
external: 同上，對僞裝的進入連接，一般用於路由轉發
dmz: 允許受限制的進入連接
work: 允許受信任的計算機被限制的進入連接，類似 workgroup
home: 同上，類似 homegroup
internal: 同上，範圍針對所有互聯網用戶
trusted: 信任所有連接

interface : The interface you would like to add/remove to/from a zone in firewalld.
指定接口屬於哪個信任級別。

source ： The source/network you would like to add/remove to/from firewalld.
指定網段。

immediate : Should this configuration be applied immediately, if set as permanent
防火牆策略立即生效。

示例

案例1：在默認信任級別新增放行https協議數據的策略，下次重啓的時候策略自動加載

- firewalld:
    service: https
    permanent: yes
state: enabled

原先的狀態，public信任級別中沒有https

[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

新增放行https協議數據的策略，下次重啓的時候策略自動加載

[root@control ~]# ansible node1 -m firewalld -a 'service=https permanent=yes state=enabled'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Changed service https to enabled"
}

策略沒有立馬生效

[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

重啓防火牆服務

[root@control ~]# ansible node1 -m service -a 'name=firewalld state=restarted'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "name": "firewalld",
    "state": "started",
    "status": {
        "ActiveEnterTimestamp": "Mon 2020-07-06 17:41:36 CST",
        "ActiveEnterTimestampMonotonic": "15024543",
        "ActiveExitTimestampMonotonic": "0",
        "ActiveState": "active",
        "After": "basic.target dbus.socket sysinit.target polkit.service system.slice dbus.service",

防火牆策略生效

[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client https ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

案例2：在默認信任級別新增放行tcp 8081端口的策略且策略狀態爲禁用，下次重啓的時候策略自動加載

- firewalld:
    port: 8081/tcp
    permanent: yes
    state: disabled

新增防火牆策略

[root@control ~]# ansible node1 -m firewalld -a 'port=8081/tcp permanent=yes state=disabled'
node1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "msg": "Permanent operation"
}

重啓防火牆策略

[root@control ~]# ansible node1 -m service -a 'name=firewalld state=restarted'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "name": "firewalld",
    "state": "started",
    "status": {
        "ActiveEnterTimestamp": "Mon 2020-07-06 22:15:37 CST",
        "ActiveEnterTimestampMonotonic": "16455418172",
        "ActiveExitTimestamp": "Mon 2020-07-06 22:15:36 CST",
        "ActiveExitTimestampMonotonic": "16454673620",
        "ActiveState": "active",
        "After": "basic.target dbus.socket sysinit.target polkit.service system.slice dbus.service",

策略未啓用

[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client https ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

案例3：在默認信任級別新增放行UDP協議161至162端口的防火牆策略，下次重啓的時候策略自動加載

- firewalld:
    port: 161-162/udp
    permanent: yes
    state: enabled

[root@control ~]# ansible node1 -m firewalld -a 'port=162-162/udp permanent=yes state=enabled'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Changed port 162-162/udp to enabled"
}

案例4：在dmz信任級別新增放行http協議數據的防火牆策略，下次重啓的時候策略自動加載

- firewalld:
    zone: dmz
    service: http
    permanent: yes
state: enabled

[root@control ~]# ansible node1 -m firewalld -a 'zone=dmz service=http  permanent=yes state=enabled'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Changed service http to enabled"
}

案例5：在internal區域新增放行192.0.2.0/24網段的防火牆策略

- firewalld:
 source: 192.0.2.0/24
 zone: internal
 state: enabled

[root@control ~]# ansible node1 -m firewalld -a 'zone=internal source="192.0.2.0/24" state=enabled'
node1 | FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "msg": "missing parameter(s) required by 'source': permanent"
}

NOTE : source參數要和permanent參數一起使用

[root@control ~]# ansible node1 -m firewalld -a 'zone=internal source="192.0.2.0/24" state=enabled permanent=yes'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Added 192.0.2.0/24 to zone internal"
}

案例6：把eth0接口加入到truested信任級別

- firewalld:
    zone: trusted
    interface: eth0
    permanent: yes
state: enabled

[root@control ~]# ansible node1 -m firewalld -a 'interface=eth0 zone=trusted state=enabled permanent=yes'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Changed eth0 to zone trusted"
}

案例7：新增custom信任級別

- firewalld:
    zone: custom
    state: present
permanent: yes

[root@control ~]# ansible node1 -m firewalld -a ' zone=custom state=present  permanent=yes'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Added zone custom, Changed zone custom to present"
}

附錄

[root@control ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server