Unverified Commit 35ba70ba authored by Dmitriy Safronov's avatar Dmitriy Safronov Committed by GitHub
Browse files

rules (#3) 



Signed-off-by: default avatarDmitriy Safronov <zimniy@cyberbrain.pw>
parent 71f17494

tasks/main.yml

+40 −0
Original line number Diff line number Diff line
@@ -23,3 +23,43 @@ 
      - firewalld

      - python3-firewall

    state: present



- name: FirewallD input services

  ansible.posix.firewalld:

    zone: "{{ item.zone }}"

    service: "{{ item.service }}"

    state: "{{ item.state | default('enabled') }}"

    permanent: true

    immediate: true

  with_items: "{{ firewalld.input.services | default([]) }}"



- name: FirewallD input ports

  ansible.posix.firewalld:

    zone: "{{ item.zone }}"

    port: "{{ item.port }}"

    state: "{{ item.state | default('enabled') }}"

    permanent: true

    immediate: true

  with_items: "{{ firewalld.input.ports | default([]) }}"



- name: FirewallD port forward

  ansible.posix.firewalld:

    port_forward:

      - port: "{{ item.port }}"

        proto: "{{ item.proto }}"

        toaddr: "{{ item.toaddr | default('') }}"

        toport: "{{ item.toport | default(item.port) }}"

    zone: "{{ item.zone }}"

    state: "{{ item.state | default('enabled') }}"

    permanent: true

    immediate: true

  with_items: "{{ firewalld.forward_ports | default([]) }}"



- name: FirewallD interfaces

  ansible.posix.firewalld:

    zone: "{{ item.zone }}"

    interface: "{{ item.interface }}"

    permanent: true

    state: enabled

    immediate: true

  with_items: "{{ firewalld.interfaces | default([]) }}"

templates/firewalld.override.j2

+1 −1
Original line number Diff line number Diff line
@@ -3,7 +3,7 @@ 
[Service]

ExecStartPost=-/usr/bin/firewall-cmd --permanent --zone=trusted --add-interface=lo



{% if ansible_port is defined and ansible_port | int > 0 and ansible_port != 22 %}

{% if ansible_port is defined and ansible_port | int > 0 and ansible_port | int != 22 %}

ExecStartPost=-/bin/sh -c 'for ZONE in $(firewall-cmd --get-zones); do if [ $ZONE != "block" -a $ZONE != "drop" -a $ZONE != "trusted" ]; then firewall-cmd --zone=$ZONE --permanent --add-port={{ ansible_port }}/tcp > /dev/null 2>&1 ; fi; done'

{% else %}

ExecStartPost=-/bin/sh -c 'for ZONE in $(firewall-cmd --get-zones); do if [ $ZONE != "block" -a $ZONE != "drop" -a $ZONE != "trusted" ]; then firewall-cmd --zone=$ZONE --permanent --add-service=ssh > /dev/null 2>&1 ; fi; done'