Ansible Module - Firewalls rules

- hosts: web1
  tasks:
    - yum:
       name: firewalld 
       state: installed

    - service:
        name: firewalld 
        state: started

---
- hosts: web1
  tasks:
   - firewalld:
      source: 172.1.1.1
      state: enabled
      zone: internal
      permanent: yes
      immediate: yes

• block 161/udp port on web1 node permanently. Make a playbook.
  • Use zone: block

- hosts: web1
  tasks:
    - firewalld:        
        port: 161/udp
        zone: block
        permanent: yes
        immediate: yes
        state: enabled

To verify, SSH to web1 server and run the following command:-

firewall-cmd --list-ports --zone=block

On web1 node add firewall rule in internal zone to enable https connection from Ansible controller machine and make sure that rule must persist even after system reboot.

- hosts: web1
  tasks:
    - name: Enable HTTPS for ansible controller
      firewalld:
        source: 172.1.1.2. ; Ansible controller machine
        service: https
        zone: internal
        state: enabled
        permanent: yes

    - service:
        name: firewalld
        state: reloaded

You have a playbook ~/playbooks/web2-config.yml, it has some existing code to change apache's default port 80 to port 8082 as we want to run Apache on port 8082 on web2 node. Make some changes as given below before running the playbook.

A. Add an entry in ~/playbooks/inventory for web2 node, IP address of web2 node is 172.1.1.3 and ssh password and username are same as of web1 (username = root and password = Passw0rd).

B. Update web2-config.yml to install httpd before updating its port in config, also start/enable its service.

C. Install firewalld package and start/enable its service.

D. As now Apache will listen on port 8082 so edit the playbook to add firewall rule in public zone so that Apache can allow all incoming traffic.

---
- hosts: web2
 tasks:
   - name: Install pkgs
     yum:
       name: httpd, firewalld
       state: present

   - name: Start/Enable services
     service:
       name: "{{ item }}"
       state: started
       enabled: yes
     with_items:
       - httpd
       - firewalld

   - name: Change Apache port
     replace:
       path: /etc/httpd/conf/httpd.conf
       regexp: "Listen 80"
       replace: "Listen 8082"

   - name: restart Apache
     service:
       name: httpd
       state: restarted

   - name: Add firewall rule for Apache
     firewalld:
       port: 8082/tcp
       zone: public
       permanent: yes
       state: enabled
       immediate: true