community.zabbix icon indicating copy to clipboard operation
community.zabbix copied to clipboard
verified publisher icon ansible-collections

Optimization for the firewall configuration of the Zabbix agent

Open ronnybremer opened this issue 5 years ago • 4 comments

SUMMARY

Our environment ist dual-stacked with both IPv4 and IPv6 configured on all our servers including the Zabbix proxies. When using the Zabbix agent role it will automatically add the Zabbix server as the source for the firewalld configuration, which is great, however, I can only add a v4 or v6 address there.

ISSUE TYPE

Duplicate the firewalld rules in the Linux.xaml file and allow for separate v4 and v6 sources, like zabbix_agent_firewalld_source_v4: {{ zabbix_agent_firewalld_source }} zabbix_agent_firewalld_source_v6:

Furthermore, would it be possible to convert the rich rule into a native rule?

COMPONENT NAME

Zabbix-agent role

ADDITIONAL INFORMATION

It would simplify administration in dual-stack environments or when the zabbix proxy is configured via DNS and not via IP, so the firewalld source can be set separately.

- name: "Configure firewalld (zabbix_agent_listenport) IPv4"
  firewalld:
    rich_rule: 'rule family="ipv4" source address="{{ zabbix_agent_firewalld_source_v4 }}" port protocol="tcp" port="{{ zabbix_agent_listenport }}" accept'
    zone: "{{ zabbix_agent_firewalld_zone }}"
    permanent: true
    state: enabled
  become: yes
  when: zabbix_agent_firewalld_enable | bool
  notify:
    - firewalld-reload
  tags: zabbix_agent_firewalld_enable

- name: "Configure firewalld (zabbix_agent_listenport) IPv6"
  firewalld:
    rich_rule: 'rule family="ipv6" source address="{{ zabbix_agent_firewalld_source_v6 }}" port protocol="tcp" port="{{ zabbix_agent_listenport }}" accept'
    zone: "{{ zabbix_agent_firewalld_zone }}"
    permanent: true
    state: enabled
  become: yes
  when: zabbix_agent_firewalld_enable | bool
  notify:
    - firewalld-reload
  tags: zabbix_agent_firewalld_enable

Or possible native Ansible firewalld config which would allow to specify the source as an array and just loop over it:

- name: "Configure firewalld (zabbix_agent_listenport)"
  firewalld:
    immediate: true
    port: "{{ zabbix_agent_listenport }}/tcp"
    source: "{{ item }}"
    zone: "{{ zabbix_agent_firewalld_zone }}"
    permanent: true
    state: enabled
  loop: {{ zabbix_agent_firewalld_source }}
  become: yes
  when: zabbix_agent_firewalld_enable | bool
  notify:
    - firewalld-reload
  tags: zabbix_agent_firewalld_enable

ronnybremer avatar Dec 01 '20 20:12 ronnybremer

Hi @ronnybremer

Sorry for the late answer, but are you able to create a PR for this? Or would you like that I should make an attempt and ask you to verify/test it? Please let me know.

Kind regards, Werner

dj-wasabi avatar Dec 20 '20 17:12 dj-wasabi

Hi Werner,

I can do that over the holidays. Need a moment for it.

ronnybremer avatar Dec 21 '20 11:12 ronnybremer

Hi Werner,

I can do that over the holidays. Need a moment for it.

No worries, take your time! Thank you! 👍

dj-wasabi avatar Dec 21 '20 12:12 dj-wasabi

Hi @ronnybremer Still working on it? 😄

dj-wasabi avatar Dec 10 '21 18:12 dj-wasabi

After discussing, the configuration of the firewall is outside the scope of the purpose of the Zabbix collection support is being removed in 2.0. I would suggest making the change as a task at the playbook level, or using one of the other available roles to manage the firewall such as https://github.com/geerlingguy/ansible-role-firewall

pyrodie18 avatar Apr 10 '23 12:04 pyrodie18