ansible firewalld模組詳解
ansible firewalld模組詳解
模組詳解
service : Name of a service to add/remove to/from firewalld.The service must be listed in output of firewall-cmd --get-services.
指定放行的服務,此服務必須要在firewall-cmd --get-services查詢的到。
permanent : Should this configuration be in the running firewalld configuration or persist across reboots. As of Ansible 2.3, permanent operations can operate on firewalld configs when it is not running.
Note that if this is no’, immediate is assumed yes’.
儲存策略,下次啟動的時候自動載入。
state : Enable or disable a setting.For ports: Should this port accept (enabled) or reject (disabled) connections.The states present’ and absent’ can only be used in zone level operations (i.e. when no other parameters but zone and state are set).
(Choices: absent, disabled, enabled, present)
指定防火牆策略狀態,enable表示策略生效,disable表示策略禁用,present新建策略,absent刪除策略。
port : Name of a port or port range to add/remove to/from firewalld. Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges.
指定放行的埠/協議。
zone : The firewalld zone to add/remove to/from.
Note that the default zone can be configured per system but public’ is default from upstream.Available choices can be extended based on per-system configs, listed here are “out of the box” defaults.Possible values include block’, dmz’, drop’, external’, home’, internal’, `public’, trusted’, work’.
指定防火牆信任級別。
drop: 丟棄所有進入的包,而不給出任何響應
block: 拒絕所有外部發起的連線,允許內部發起的連線
public: 允許指定的進入連線
external: 同上,對偽裝的進入連線,一般用於路由轉發
dmz: 允許受限制的進入連線
work: 允許受信任的計算機被限制的進入連線,類似 workgroup
home: 同上,類似 homegroup
internal: 同上,範圍針對所有網際網路使用者
trusted: 信任所有連線
interface : The interface you would like to add/remove to/from a zone in firewalld.
指定介面屬於哪個信任級別。
source : The source/network you would like to add/remove to/from firewalld.
指定網段。
immediate : Should this configuration be applied immediately, if set as permanent
防火牆策略立即生效。
示例
案例1:在預設信任級別新增放行https協議資料的策略,下次重啟的時候策略自動載入
- firewalld:
service: https
permanent: yes
state: enabled
1234
原先的狀態,public信任級別中沒有https
[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
123456789101112131415
新增放行https協議資料的策略,下次重啟的時候策略自動載入
[root@control ~]# ansible node1 -m firewalld -a 'service=https permanent=yes state=enabled'
node1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"msg": "Permanent operation, Changed service https to enabled"
}
12345678
策略沒有立馬生效
[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
123456789101112131415
重啟防火牆服務
[root@control ~]# ansible node1 -m service -a 'name=firewalld state=restarted'
node1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"name": "firewalld",
"state": "started",
"status": {
"ActiveEnterTimestamp": "Mon 2020-07-06 17:41:36 CST",
"ActiveEnterTimestampMonotonic": "15024543",
"ActiveExitTimestampMonotonic": "0",
"ActiveState": "active",
"After": "basic.target dbus.socket sysinit.target polkit.service system.slice dbus.service",
1234567891011121314
防火牆策略生效
[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
123456789101112131415
案例2:在預設信任級別新增放行tcp 8081埠的策略且策略狀態為禁用,下次重啟的時候策略自動載入
- firewalld:
port: 8081/tcp
permanent: yes
state: disabled
1234
新增防火牆策略
[root@control ~]# ansible node1 -m firewalld -a 'port=8081/tcp permanent=yes state=disabled'
node1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"msg": "Permanent operation"
}
12345678
重啟防火牆策略
[root@control ~]# ansible node1 -m service -a 'name=firewalld state=restarted'
node1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"name": "firewalld",
"state": "started",
"status": {
"ActiveEnterTimestamp": "Mon 2020-07-06 22:15:37 CST",
"ActiveEnterTimestampMonotonic": "16455418172",
"ActiveExitTimestamp": "Mon 2020-07-06 22:15:36 CST",
"ActiveExitTimestampMonotonic": "16454673620",
"ActiveState": "active",
"After": "basic.target dbus.socket sysinit.target polkit.service system.slice dbus.service",
123456789101112131415
策略未啟用
[root@control ~]# ansible node1 -a 'firewall-cmd --zone=public --list-all'
node1 | CHANGED | rc=0 >>
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
123456789101112131415
案例3:在預設信任級別新增放行UDP協議161至162埠的防火牆策略,下次重啟的時候策略自動載入
- firewalld:
port: 161-162/udp
permanent: yes
state: enabled
1234
[root@control ~]# ansible node1 -m firewalld -a 'port=162-162/udp permanent=yes state=enabled'
node1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"msg": "Permanent operation, Changed port 162-162/udp to enabled"
}
12345678
案例4:在dmz信任級別新增放行http協議資料的防火牆策略,下次重啟的時候策略自動載入
- firewalld:
zone: dmz
service: http
permanent: yes
state: enabled
12345
[root@control ~]# ansible node1 -m firewalld -a 'zone=dmz service=http permanent=yes state=enabled'
node1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"msg": "Permanent operation, Changed service http to enabled"
}
12345678
案例5:在internal區域新增放行192.0.2.0/24網段的防火牆策略
- firewalld:
source: 192.0.2.0/24
zone: internal
state: enabled
1234
[root@control ~]# ansible node1 -m firewalld -a 'zone=internal source="192.0.2.0/24" state=enabled'
node1 | FAILED! => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"msg": "missing parameter(s) required by 'source': permanent"
}
12345678
NOTE : source引數要和permanent引數一起使用
[root@control ~]# ansible node1 -m firewalld -a 'zone=internal source="192.0.2.0/24" state=enabled permanent=yes'
node1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"msg": "Permanent operation, Added 192.0.2.0/24 to zone internal"
}
12345678
案例6:把eth0介面加入到truested信任級別
- firewalld:
zone: trusted
interface: eth0
permanent: yes
state: enabled
12345
[root@control ~]# ansible node1 -m firewalld -a 'interface=eth0 zone=trusted state=enabled permanent=yes'
node1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"msg": "Permanent operation, Changed eth0 to zone trusted"
}
12345678
案例7:新增custom信任級別
- firewalld:
zone: custom
state: present
permanent: yes
1234
[root@control ~]# ansible node1 -m firewalld -a ' zone=custom state=present permanent=yes'
node1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"msg": "Permanent operation, Added zone custom, Changed zone custom to present"
}