Ansible firewalld Module: Open Firewall Ports on RHEL/CentOS (Examples)

By Luca Berton · Published 2024-01-01 · Category: installation

How to manage firewall ports on RHEL, CentOS, and Fedora using Ansible firewalld module. Open ports, add services, manage zones, and make rules permanent.

Ansible firewalld Module: Open Firewall Ports on RHEL/CentOS (Examples)

How to open firewall ports in RedHat-like systems with Ansible?

I'm going to show you a live Playbook and some simple Ansible code. I'm Luca Berton and welcome to today's episode of Ansible Pilot.

See also: Ansible on AlmaLinux 9.5: firewalld Hardening Complete Guide

Ansible open firewall ports in RedHat-like systems

Today we're talking about the Ansible module firewalld. The full name is ansible.posix.firewalld, which means that is part of the collection targeting POSIX platforms. This module requires Ansible 2.9+. It works in RedHat-like systems with firewalld >= 0.2.11 and python firewalld bindings. It manages arbitrary ports/services with firewalld.

Parameters

• state _string_ - enabled / present / absent / disabled • service _string_ - firewall-cmd - get-services • port _string_ - PORT/PROTOCOL or PORT-PORT/PROTOCOL • permanent _boolean_ - no/yes • immediate _boolean_ - no/yes

The parameter list is pretty wide but these are the most important options for our use case to open firewall ports. The "state" parameter is mandatory and specifies to enable or disable a setting. The options "enabled" accept and "disabled" reject connections for ports. The options "present" and "absent" are for zone-level operations. The "service" parameter specifies the name of a service to add/remove to/from firewalld. For the full list please use "firewall-cmd - get-services". The "port" parameter specifies the name of a port or port range to add/remove to/from firewalld. The format is PORT/PROTOCOL so for example 80/TCP for HTTP connections. You could also specify a range with PORT-PORT/PROTOCOL. The "permanent" parameter defines if the configuration should persist across reboots. Note that if "permanent" is no, "immediate" is assumed yes. The "immediate" parameter applies immediately to the configuration of the system.

## Playbook Let's jump in a real-life Playbook about how to open firewall ports in RedHat-like systems with Ansible Playbook. • verify-firewall.sh

# firewall-cmd --state
# systemctrl status firewalld
# firewall-cmd --list-all
# firewall-cmd --list-services
# dnf info nginx

• firewalld.yml

---
- name: firewalld module Playbook
  hosts: all
  become: true
  tasks:
- name: nginx installed
      ansible.builtin.yum:
        name: nginx
        state: present
- name: firewalld rules
      ansible.posix.firewalld:
        service: "{{ item }}"
        state: enabled
        permanent: true
        immediate: true
      with_items:
        - http
        - https

code with ❤️ in GitHub

See also: Ansible on Fedora 43: Firewalld Zone Configuration Complete Guide

Conclusion

Now you know how to open firewall ports in RedHat-like systems with Ansible.

Open Ports

Open a single port

- name: Open HTTP port
  ansible.posix.firewalld:
    port: 80/tcp
    permanent: true
    immediate: true
    state: enabled
  become: true

Open multiple ports

- name: Open application ports
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
    immediate: true
    state: enabled
  loop:
    - 80/tcp
    - 443/tcp
    - 8080/tcp
    - 3306/tcp
  become: true

Open port range

- name: Open port range
  ansible.posix.firewalld:
    port: 8000-8100/tcp
    permanent: true
    immediate: true
    state: enabled
  become: true

See also: Ansible on Fedora 44: Firewalld Zone Configuration Complete Guide

Add Services

- name: Allow common services
  ansible.posix.firewalld:
    service: "{{ item }}"
    permanent: true
    immediate: true
    state: enabled
  loop:
    - http
    - https
    - ssh
    - postgresql
  become: true

Manage Zones

- name: Add interface to zone ansible.posix.firewalld: zone: internal interface: eth1 permanent: true immediate: true state: enabled become: true

- name: Open port in specific zone ansible.posix.firewalld: zone: internal port: 5432/tcp permanent: true immediate: true state: enabled become: true

Rich Rules

- name: Allow SSH from specific subnet ansible.posix.firewalld: rich_rule: 'rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept' permanent: true immediate: true state: enabled become: true

- name: Rate limit connections ansible.posix.firewalld: rich_rule: 'rule service name="http" limit value="25/m" accept' permanent: true immediate: true state: enabled become: true

Close / Remove Rules

- name: Close unused port
  ansible.posix.firewalld:
    port: 8080/tcp
    permanent: true
    immediate: true
    state: disabled
  become: true

permanent vs immediate

| Parameter | Effect | |-----------|--------| | permanent: true | Survives reboot | | immediate: true | Takes effect now | | Both | Immediate AND survives reboot | | Neither | Runtime only, lost on reboot |

Always use both for production rules.

firewalld vs ufw

| Module | Firewall | Distros | |--------|----------|---------| | ansible.posix.firewalld | firewalld | RHEL, CentOS, Fedora | | community.general.ufw | ufw | Ubuntu, Debian | | ansible.builtin.iptables | iptables | Any Linux |

FAQ

How do I list current rules?

- name: Show open ports
  ansible.builtin.command: firewall-cmd --list-all
  register: fw_rules
  changed_when: false

How do I reload firewalld?

- name: Reload firewalld
  ansible.builtin.command: firewall-cmd --reload
  become: true

What's the default zone?

Usually public. Check with: firewall-cmd --get-default-zone

Related Articles

• automating Nginx with Ansible • become_user and become_method in Ansible

Category: installation

Watch the video: Ansible firewalld Module: Open Firewall Ports on RHEL/CentOS (Examples) — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home