ansible.posix icon indicating copy to clipboard operation
ansible.posix copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

firewalld: Support policy objects

Open klausenbusk opened this issue 2 years ago • 4 comments

SUMMARY

Firewalld supports "Policy Objects" since v0.9.0:

With some exceptions (e.g. masquerade, forward-ports) firewalld was previously limited to being an end-station firewall. This meant you could not use it to filter traffic flowing between virtual machines, containers, and zones. A subset of that functionality was available by using the direct interface and writing your own iptables rules, but it wasn’t a great user experience.

What is needed is a way to apply a policy for traffic flowing between zones. Then the user can attach firewalld’s primitives: services, ports, rich rules, etc. to the policy. The end result is something that provides a very similar user interface to zones, but is much more powerful.

Source: https://firewalld.org/2020/09/policy-objects-introduction

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

firewalld

ADDITIONAL INFORMATION

Two informative blog posts:

  • https://firewalld.org/2020/09/policy-objects-introduction
  • https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traffic

Our use-case is similar to the latter blog post (traffic between virtual machines and Wireguard tunnels).

- name: create foo policy
  firewalld: policy=foo permanent=yes state=present
  register: result

- name: reload firewalld
  service: name=firewalld state=reloaded
  when: result.changed

- name: set ingress zone for the foo policy
  firewalld: policy=foo ingress_zone=public permanent=yes immediate=yes state=enabled

- name: set egress zone for the foo policy
  firewalld: policy=foo egress_zone=public permanent=yes immediate=yes state=enabled

klausenbusk avatar Oct 27 '21 08:10 klausenbusk

Hi @klausenbusk Thank you for reporting this feature request!

saito-hideki avatar Nov 01 '21 08:11 saito-hideki

I don't have the development skills for this feature, but would be very happy to contribute to the documentation. If anybody wants to collaborate on this, please let me know!

benblasco avatar Jan 24 '22 00:01 benblasco

Hi @vrindle, almost a year ago you announced in https://github.com/ansible-collections/ansible.posix/issues/249#issuecomment-899577467 replacing the Ansible Posix Firewalld module with the current module in the Firewalld system role. Is this going to happen? I'm looking forward to implementing a fix for this issue, but I would not want to code stuff, that is going out the window soon.

Both, the current module in the Firewalld system role and the Ansible Posix Firewalld module are missing support for policy objects at the moment.

ziegenberg avatar Aug 03 '22 20:08 ziegenberg

There are also a couple of open PRs (#160, #249, #320) regarding the firewall module. Are they going to be merged soon?

ziegenberg avatar Aug 03 '22 20:08 ziegenberg