ansible firewalld模塊詳解

模塊詳解

service ： Name of a service to add/remove to/from firewalld.The service must be listed in output of firewall-cmd --get-services.
指定放行的服務，此服務必須要在firewall-cmd --get-services查詢的到。

permanent ： Should this configuration be in the running firewalld configuration or persist across reboots. As of Ansible 2.3, permanent operations can operate on firewalld configs when it is not running.
Note that if this is no’, immediate is assumed yes’.
保存策略，下次啟動的時候自動加載。

state : Enable or disable a setting.For ports: Should this port accept (enabled) or reject (disabled) connections.The states present’ and absent’ can only be used in zone level operations (i.e. when no other parameters but zone and state are set).
(Choices: absent, disabled, enabled, present)
指定防火牆策略狀態，enable表示策略生效，disable表示策略禁用，present新建策略，absent刪除策略。

port : Name of a port or port range to add/remove to/from firewalld. Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges.
指定放行的端口/協議。

zone ： The firewalld zone to add/remove to/from.
Note that the default zone can be configured per system but public’ is default from upstream.Available choices can be extended based on per-system configs, listed here are “out of the box” defaults.Possible values include block’, dmz’, drop’, external’, home’, internal’, `public’, trusted’, work’.
指定防火牆信任級別。
drop: 丟棄所有進入的包，而不給出任何響應
block: 拒絕所有外部發起的連接，允許內部發起的連接
public: 允許指定的進入連接
external: 同上，對偽裝的進入連接，一般用於路由轉發
dmz: 允許受限制的進入連接
work: 允許受信任的計算機被限制的進入連接，類似 workgroup
home: 同上，類似 homegroup
internal: 同上，范圍針對所有互聯網用戶
trusted: 信任所有連接

interface : The interface you would like to add/remove to/from a zone in firewalld.
指定接口屬於哪個信任級別。

source ： The source/network you would like to add/remove to/from firewalld.
指定網段。

immediate : Should this configuration be applied immediately, if set as permanent
防火牆策略立即生效。

示例

案例1：在默認信任級別新增放行https協議數據的策略，下次重啟的時候策略自動加載

- firewalld:
    service: https
    permanent: yes
state: enabled

原先的狀態，public信任級別中沒有https

[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

新增放行https協議數據的策略，下次重啟的時候策略自動加載

[root@control ~]# ansible node1 -m firewalld -a 'service=https permanent=yes state=enabled'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Changed service https to enabled"
}

策略沒有立馬生效

[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

重啟防火牆服務

[root@control ~]# ansible node1 -m service -a 'name=firewalld state=restarted'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "name": "firewalld",
    "state": "started",
    "status": {
        "ActiveEnterTimestamp": "Mon 2020-07-06 17:41:36 CST",
        "ActiveEnterTimestampMonotonic": "15024543",
        "ActiveExitTimestampMonotonic": "0",
        "ActiveState": "active",
        "After": "basic.target dbus.socket sysinit.target polkit.service system.slice dbus.service",

防火牆策略生效

[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client https ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

案例2：在默認信任級別新增放行tcp 8081端口的策略且策略狀態為禁用，下次重啟的時候策略自動加載

- firewalld:
    port: 8081/tcp
    permanent: yes
    state: disabled

新增防火牆策略

[root@control ~]# ansible node1 -m firewalld -a 'port=8081/tcp permanent=yes state=disabled'
node1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "msg": "Permanent operation"
}

重啟防火牆策略

[root@control ~]# ansible node1 -m service -a 'name=firewalld state=restarted'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "name": "firewalld",
    "state": "started",
    "status": {
        "ActiveEnterTimestamp": "Mon 2020-07-06 22:15:37 CST",
        "ActiveEnterTimestampMonotonic": "16455418172",
        "ActiveExitTimestamp": "Mon 2020-07-06 22:15:36 CST",
        "ActiveExitTimestampMonotonic": "16454673620",
        "ActiveState": "active",
        "After": "basic.target dbus.socket sysinit.target polkit.service system.slice dbus.service",

策略未啟用

[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client https ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

案例3：在默認信任級別新增放行UDP協議161至162端口的防火牆策略，下次重啟的時候策略自動加載

- firewalld:
    port: 161-162/udp
    permanent: yes
    state: enabled
[root@control ~]# ansible node1 -m firewalld -a 'port=162-162/udp permanent=yes state=enabled'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Changed port 162-162/udp to enabled"
}

案例4：在dmz信任級別新增放行http協議數據的防火牆策略，下次重啟的時候策略自動加載

- firewalld:
    zone: dmz
    service: http
    permanent: yes
state: enabled

[root@control ~]# ansible node1 -m firewalld -a 'zone=dmz service=http  permanent=yes state=enabled'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Changed service http to enabled"
}

案例5：在internal區域新增放行192.0.2.0/24網段的防火牆策略

- firewalld:
 source: 192.0.2.0/24
 zone: internal
 state: enabled

[root@control ~]# ansible node1 -m firewalld -a 'zone=internal source="192.0.2.0/24" state=enabled'
node1 | FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "msg": "missing parameter(s) required by 'source': permanent"
}

NOTE : source參數要和permanent參數一起使用

[root@control ~]# ansible node1 -m firewalld -a 'zone=internal source="192.0.2.0/24" state=enabled permanent=yes'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Added 192.0.2.0/24 to zone internal"
}

案例6：把eth0接口加入到truested信任級別

- firewalld:
    zone: trusted
    interface: eth0
    permanent: yes
state: enabled

[root@control ~]# ansible node1 -m firewalld -a 'interface=eth0 zone=trusted state=enabled permanent=yes'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Changed eth0 to zone trusted"
}

案例7：新增custom信任級別

- firewalld:
    zone: custom
    state: present
permanent: yes

[root@control ~]# ansible node1 -m firewalld -a ' zone=custom state=present  permanent=yes'
node1 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "msg": "Permanent operation, Added zone custom, Changed zone custom to present"
    }