Ansible Playbook for firewalld
Hey there, fellow SRE geeks! Today we’re going to take a deep dive into an Ansible playbook for firewalld. By the end of this post, you’ll be well-equipped to configure firewalls for webservers, MySQL, and Redis with confidence, even if you’re a newbie. So, sit back, relax, and let’s start mastering the “Ansible Playbook for Firewalld” together!
To get started with Ansible, I recommend checking out their official documentation here: Ansible Docs
And for a helpful video tutorial on Ansible, take a look at this YouTube video: Ansible Crash Course
The Playbook: Configure firewall for webserver, MySQL, and Redis
Define the Play
The play starts with the basic information and variables that will be used throughout the playbook. We specify the hosts (webserver, MySQL, and Redis), escalate privileges using become: yes, and define some common ports and the Ansible control node network.
- name: Configure firewall for webserver, MySQL, and Redis
hosts: webserver:mysql:redis
become: yes
vars:
http_port: 80
https_port: 443
mysql_port: 3306
redis_port: 6379
ansible_control_node_network: "172.29.69.0/24"
Task 1: Install firewalld
The first task is to install the firewalld package using the ansible.builtin.package module. We set the state to present to ensure it is installed.
- name: Install firewalld
ansible.builtin.package:
name: firewalld
state: present
Task 2: Start and enable firewalld
Next, we start and enable the firewalld service using the ansible.builtin.systemd module. By setting state to started and enabled to yes, we ensure the service is running and will start on boot.
- name: Start and enable firewalld
ansible.builtin.systemd:
name: firewalld
state: started
enabled: yes
Task 3: Allow traffic from Ansible control node network
Now, we allow traffic from the Ansible control node network using the ansible.posix.firewalld module. We set the zone to public, state to enabled, immediate to yes, and permanent to yes.
- name: Allow traffic from Ansible control node network
ansible.posix.firewalld:
source: "{{ ansible_control_node_network }}"
zone: public
state: enabled
immediate: yes
permanent: yes
Task 4: Allow incoming HTTP and HTTPS traffic
To allow incoming HTTP and HTTPS traffic, we use the ansible.posix.firewalld module again, this time with a loop to cover both http and https services. We apply this task only to hosts in the ‘webserver’ group using the when directive.
- name: Allow incoming HTTP and HTTPS traffic
ansible.posix.firewalld:
service: "{{ item }}"
zone: public
state: enabled
immediate: yes
permanent: yes
loop:
- http
- https
when: "'webserver' in group_names"
Task 5: Allow incoming MySQL traffic
To allow incoming MySQL traffic, we use the ansible.posix.firewalld module once more, specifying the mysql_port variable with the TCP protocol. This task will only be applied to hosts in the ‘mysql’ group using the when directive.
- name: Allow incoming MySQL traffic
ansible.posix.firewalld:
port: "{{ mysql_port }}/tcp"
zone: public
state: enabled
immediate: yes
permanent: yes
when: "'mysql' in group_names"
Task 6: Allow incoming Redis traffic
Finally, to allow incoming Redis traffic, we use the ansible.posix.firewalld module again, specifying the redis_port variable with the TCP protocol. This task will only be applied to hosts in the ‘redis’ group using the when directive.
- name: Allow incoming Redis traffic
ansible.posix.firewalld:
port: "{{ redis_port }}/tcp"
zone: public
state: enabled
immediate: yes
permanent: yes
when: "'redis' in group_names"
And there you have it, a detailed explanation of an Ansible playbook for firewalld. We’ve walked through each task, explaining what it does and the corresponding code, so even a newbie can understand it. Now, you should be well-equipped to configure firewalls for webservers, MySQL, and Redis using this “Ansible Playbook for Firewalld.”
For more information on Ansible, firewalld, and related topics, visit the following resources:
- Ansible Documentation: https://docs.ansible.com/
- firewalld Documentation: https://firewalld.org/documentation/
- YouTube Video – Ansible Crash Course: https://www.youtube.com/watch?v=gIdYB2Nr-ms
See our DevOps and SRE section for more like this!
FULL PLAYBOOK
---
- name: Configure firewall for webserver, MySQL, and Redis
hosts: webserver:mysql:redis
become: yes
vars:
http_port: 80
https_port: 443
mysql_port: 3306
redis_port: 6379
ansible_control_node_network: "172.29.69.0/24"
tasks:
- name: Install firewalld
ansible.builtin.package:
name: firewalld
state: present
- name: Start and enable firewalld
ansible.builtin.systemd:
name: firewalld
state: started
enabled: yes
- name: Allow traffic from Ansible control node network
ansible.posix.firewalld:
source: "{{ ansible_control_node_network }}"
zone: public
state: enabled
immediate: yes
permanent: yes
- name: Allow incoming HTTP and HTTPS traffic
ansible.posix.firewalld:
service: "{{ item }}"
zone: public
state: enabled
immediate: yes
permanent: yes
loop:
- http
- https
when: "'webserver' in group_names"
- name: Allow incoming MySQL traffic
ansible.posix.firewalld:
port: "{{ mysql_port }}/tcp"
zone: public
state: enabled
immediate: yes
permanent: yes
when: "'mysql' in group_names"
- name: Allow incoming Redis traffic
ansible.posix.firewalld:
port: "{{ redis_port }}/tcp"
zone: public
state: enabled
immediate: yes
permanent: yes
when: "'redis' in group_names"
Leave a Reply
You must be logged in to post a comment.