ansible.posix
ansible.posix copied to clipboard
firewalld: Support policy objects
SUMMARY
Firewalld supports "Policy Objects" since v0.9.0:
With some exceptions (e.g. masquerade, forward-ports) firewalld was previously limited to being an end-station firewall. This meant you could not use it to filter traffic flowing between virtual machines, containers, and zones. A subset of that functionality was available by using the
direct
interface and writing your owniptables
rules, but it wasn’t a great user experience.What is needed is a way to apply a policy for traffic flowing between zones. Then the user can attach firewalld’s primitives: services, ports, rich rules, etc. to the policy. The end result is something that provides a very similar user interface to zones, but is much more powerful.
Source: https://firewalld.org/2020/09/policy-objects-introduction
ISSUE TYPE
- Feature Idea
COMPONENT NAME
firewalld
ADDITIONAL INFORMATION
Two informative blog posts:
- https://firewalld.org/2020/09/policy-objects-introduction
- https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traffic
Our use-case is similar to the latter blog post (traffic between virtual machines and Wireguard tunnels).
- name: create foo policy
firewalld: policy=foo permanent=yes state=present
register: result
- name: reload firewalld
service: name=firewalld state=reloaded
when: result.changed
- name: set ingress zone for the foo policy
firewalld: policy=foo ingress_zone=public permanent=yes immediate=yes state=enabled
- name: set egress zone for the foo policy
firewalld: policy=foo egress_zone=public permanent=yes immediate=yes state=enabled
Hi @klausenbusk Thank you for reporting this feature request!
I don't have the development skills for this feature, but would be very happy to contribute to the documentation. If anybody wants to collaborate on this, please let me know!
Hi @vrindle, almost a year ago you announced in https://github.com/ansible-collections/ansible.posix/issues/249#issuecomment-899577467 replacing the Ansible Posix Firewalld module with the current module in the Firewalld system role. Is this going to happen? I'm looking forward to implementing a fix for this issue, but I would not want to code stuff, that is going out the window soon.
Both, the current module in the Firewalld system role and the Ansible Posix Firewalld module are missing support for policy objects at the moment.
There are also a couple of open PRs (#160, #249, #320) regarding the firewall module. Are they going to be merged soon?