Ansible firewalld Module: Open Firewall Ports on RHEL/CentOS (Examples)
By Luca Berton · Published 2024-01-01 · Category: installation
How to manage firewall ports on RHEL, CentOS, and Fedora using Ansible firewalld module. Open ports, add services, manage zones, and make rules permanent.

How to open firewall ports in RedHat-like systems with Ansible?
See also: Ansible on AlmaLinux 9.5: firewalld Hardening Complete Guide
Ansible open firewall ports in RedHat-like systems
Today we're talking about the Ansible modulefirewalld.
The full name is ansible.posix.firewalld, which means that is part of the collection targeting POSIX platforms. This module requires Ansible 2.9+.
It works in RedHat-like systems with firewalld >= 0.2.11 and python firewalld bindings.
It manages arbitrary ports/services with firewalld.
Parameters
- state _string_ - enabled / present / absent / disabled
- service _string_ - firewall-cmd - get-services
- port _string_ - PORT/PROTOCOL or PORT-PORT/PROTOCOL
- permanent _boolean_ - no/yes
- immediate _boolean_ - no/yes
## Playbook Let's jump in a real-life Playbook about how to open firewall ports in RedHat-like systems with Ansible Playbook.
- verify-firewall.sh
# firewall-cmd --state
# systemctrl status firewalld
# firewall-cmd --list-all
# firewall-cmd --list-services
# dnf info nginx- firewalld.yml
---
- name: firewalld module Playbook
hosts: all
become: true
tasks:
- name: nginx installed
ansible.builtin.yum:
name: nginx
state: present
- name: firewalld rules
ansible.posix.firewalld:
service: "{{ item }}"
state: enabled
permanent: true
immediate: true
with_items:
- http
- https
See also: Ansible on Fedora 43: Firewalld Zone Configuration Complete Guide
Conclusion
Now you know how to open firewall ports in RedHat-like systems with Ansible.Open Ports
Open a single port
- name: Open HTTP port
ansible.posix.firewalld:
port: 80/tcp
permanent: true
immediate: true
state: enabled
become: trueOpen multiple ports
- name: Open application ports
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
immediate: true
state: enabled
loop:
- 80/tcp
- 443/tcp
- 8080/tcp
- 3306/tcp
become: trueOpen port range
- name: Open port range
ansible.posix.firewalld:
port: 8000-8100/tcp
permanent: true
immediate: true
state: enabled
become: trueSee also: Ansible on Fedora 44: Firewalld Zone Configuration Complete Guide
Add Services
- name: Allow common services
ansible.posix.firewalld:
service: "{{ item }}"
permanent: true
immediate: true
state: enabled
loop:
- http
- https
- ssh
- postgresql
become: trueManage Zones
- name: Add interface to zone
ansible.posix.firewalld:
zone: internal
interface: eth1
permanent: true
immediate: true
state: enabled
become: true
- name: Open port in specific zone
ansible.posix.firewalld:
zone: internal
port: 5432/tcp
permanent: true
immediate: true
state: enabled
become: trueRich Rules
- name: Allow SSH from specific subnet
ansible.posix.firewalld:
rich_rule: 'rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
permanent: true
immediate: true
state: enabled
become: true
- name: Rate limit connections
ansible.posix.firewalld:
rich_rule: 'rule service name="http" limit value="25/m" accept'
permanent: true
immediate: true
state: enabled
become: trueClose / Remove Rules
- name: Close unused port
ansible.posix.firewalld:
port: 8080/tcp
permanent: true
immediate: true
state: disabled
become: truepermanent vs immediate
| Parameter | Effect |
|---|---|
permanent: true | Survives reboot |
immediate: true | Takes effect now |
| Both | Immediate AND survives reboot |
| Neither | Runtime only, lost on reboot |
firewalld vs ufw
| Module | Firewall | Distros |
|---|---|---|
ansible.posix.firewalld | firewalld | RHEL, CentOS, Fedora |
community.general.ufw | ufw | Ubuntu, Debian |
ansible.builtin.iptables | iptables | Any Linux |
FAQ
How do I list current rules?
- name: Show open ports
ansible.builtin.command: firewall-cmd --list-all
register: fw_rules
changed_when: falseHow do I reload firewalld?
- name: Reload firewalld
ansible.builtin.command: firewall-cmd --reload
become: trueWhat's the default zone?
Usually public. Check with: firewall-cmd --get-default-zone
Related Articles
Category: installation
Watch the video: Ansible firewalld Module: Open Firewall Ports on RHEL/CentOS (Examples) — Video Tutorial