83 lines
3.5 KiB
YAML
83 lines
3.5 KiB
YAML
---
|
|
- name: Create Zones, then apply interfaces and rules
|
|
tags: firewalld
|
|
block:
|
|
|
|
- name: New zones
|
|
ansible.builtin.shell: firewall-cmd -q --permanent --new-zone="{{ item.name }}" || echo "zone already exists"
|
|
changed_when: true
|
|
ignore_errors: true
|
|
loop: "{{ firewall_rules }}"
|
|
when:
|
|
- firewall_action == "add"
|
|
- firewall_rules is defined and firewall_rules | length > 0
|
|
|
|
- name: "{{ firewall_action }} interfaces"
|
|
ansible.builtin.command: firewall-cmd --permanent --zone={{ item.name }}{% for interface in item.interfaces %} --{{ firewall_action }}-interface={{ interface }}{% endfor %}
|
|
changed_when: true
|
|
loop: "{{ firewall_rules }}"
|
|
when:
|
|
- firewall_rules is defined
|
|
- item.interfaces is defined and item.interfaces | length > 0
|
|
|
|
- name: "{{ firewall_action }} services"
|
|
ansible.builtin.command: firewall-cmd --permanent --zone={{ item.name }}{% for service in item.services %} --{{ firewall_action }}-service={{ service }}{% endfor %}
|
|
changed_when: true
|
|
loop: "{{ firewall_rules }}"
|
|
when:
|
|
- firewall_rules is defined
|
|
- item.services is defined and item.services | length > 0
|
|
|
|
- name: "{{ firewall_action }} ports"
|
|
ansible.builtin.command: firewall-cmd --permanent --zone={{ item.name }}{% for port in item.ports %} --{{ firewall_action }}-port={{ port }}{% endfor %}
|
|
changed_when: true
|
|
loop: "{{ firewall_rules }}"
|
|
when:
|
|
- firewall_rules is defined
|
|
- item.ports is defined and item.ports | length > 0
|
|
|
|
- name: "{{ firewall_action }} rich rules"
|
|
ansible.builtin.command: firewall-cmd --permanent --zone={{ item.name }}{% for rule in item.rules %} --{{ firewall_action }}-rich-rule='{{ rule }}'{% endfor %}
|
|
changed_when: true
|
|
loop: "{{ firewall_rules }}"
|
|
when:
|
|
- firewall_rules is defined
|
|
- item.rules is defined and item.rules | length > 0
|
|
|
|
- name: "{{ firewall_action }} sources"
|
|
ansible.builtin.command: firewall-cmd --permanent --zone={{ item.name }}{% for source in item.sources %} --{{ firewall_action }}-source={{ source }}{% endfor %}
|
|
changed_when: true
|
|
loop: "{{ firewall_rules }}"
|
|
when:
|
|
- firewall_rules is defined
|
|
- item.sources is defined and item.sources | length > 0
|
|
|
|
- name: "{{ firewall_action }} forwards"
|
|
ansible.builtin.command: firewall-cmd --permanent --zone={{ item.name }}{% for forward in item.forwards %} --{{ firewall_action }}-forward-port=port={{ forward.port }}:proto={{ forward.proto | d('tcp')}}:toport={{ forward.to }}:toaddr={{ forward.toaddr | d('') }}{% endfor %}
|
|
changed_when: true
|
|
loop: "{{ firewall_rules }}"
|
|
when:
|
|
- firewall_rules is defined
|
|
- item.forwards is defined and item.forwards | length > 0
|
|
|
|
- name: Set forwarding
|
|
ansible.builtin.command: firewall-cmd --permanent {% if item.forward %}--add-forward{% else %}--remove-forward{% endif %}
|
|
changed_when: true
|
|
loop: "{{ firewall_rules }}"
|
|
when:
|
|
- firewall_rules is defined and firewall_rules | length > 0
|
|
- item.forward is defined
|
|
|
|
- name: Set masquerading
|
|
ansible.builtin.firewalld:
|
|
zone: "{{ item.name }}"
|
|
masquerade: "{{ item.masquerade | d('false') }}"
|
|
permanent: true
|
|
state: enabled
|
|
loop: "{{ firewall_rules }}"
|
|
when:
|
|
- firewall_rules is defined and firewall_rules | length > 0
|
|
- item.masquerade is defined
|
|
|
|
notify: reload-firewalld
|