AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible firewalld Module: Open Firewall Ports on RHEL/CentOS (Examples)

By Luca Berton · Published 2024-01-01 · Category: installation

How to manage firewall ports on RHEL, CentOS, and Fedora using Ansible firewalld module. Open ports, add services, manage zones, and make rules permanent.

Ansible firewalld Module: Open Firewall Ports on RHEL/CentOS (Examples)

How to open firewall ports in RedHat-like systems with Ansible?

See also: Ansible on AlmaLinux 9.5: firewalld Hardening Complete Guide

Ansible open firewall ports in RedHat-like systems

Today we're talking about the Ansible module firewalld. The full name is ansible.posix.firewalld, which means that is part of the collection targeting POSIX platforms. This module requires Ansible 2.9+. It works in RedHat-like systems with firewalld >= 0.2.11 and python firewalld bindings. It manages arbitrary ports/services with firewalld.

Parameters

  • state _string_ - enabled / present / absent / disabled
  • service _string_ - firewall-cmd - get-services
  • port _string_ - PORT/PROTOCOL or PORT-PORT/PROTOCOL
  • permanent _boolean_ - no/yes
  • immediate _boolean_ - no/yes
The parameter list is pretty wide but these are the most important options for our use case to open firewall ports. The "state" parameter is mandatory and specifies to enable or disable a setting. The options "enabled" accept and "disabled" reject connections for ports. The options "present" and "absent" are for zone-level operations. The "service" parameter specifies the name of a service to add/remove to/from firewalld. For the full list please use "firewall-cmd - get-services". The "port" parameter specifies the name of a port or port range to add/remove to/from firewalld. The format is PORT/PROTOCOL so for example 80/TCP for HTTP connections. You could also specify a range with PORT-PORT/PROTOCOL. The "permanent" parameter defines if the configuration should persist across reboots. Note that if "permanent" is no, "immediate" is assumed yes. The "immediate" parameter applies immediately to the configuration of the system.

## Playbook Let's jump in a real-life Playbook about how to open firewall ports in RedHat-like systems with Ansible Playbook.

  • verify-firewall.sh
# firewall-cmd --state
# systemctrl status firewalld
# firewall-cmd --list-all
# firewall-cmd --list-services
# dnf info nginx
  • firewalld.yml
---
- name: firewalld module Playbook
  hosts: all
  become: true
  tasks:
- name: nginx installed
      ansible.builtin.yum:
        name: nginx
        state: present
- name: firewalld rules
      ansible.posix.firewalld:
        service: "{{ item }}"
        state: enabled
        permanent: true
        immediate: true
      with_items:
        - http
        - https

code with ❤️ in GitHub

See also: Ansible on Fedora 43: Firewalld Zone Configuration Complete Guide

Conclusion

Now you know how to open firewall ports in RedHat-like systems with Ansible.

Open Ports

Open a single port

- name: Open HTTP port
  ansible.posix.firewalld:
    port: 80/tcp
    permanent: true
    immediate: true
    state: enabled
  become: true

Open multiple ports

- name: Open application ports
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
    immediate: true
    state: enabled
  loop:
    - 80/tcp
    - 443/tcp
    - 8080/tcp
    - 3306/tcp
  become: true

Open port range

- name: Open port range
  ansible.posix.firewalld:
    port: 8000-8100/tcp
    permanent: true
    immediate: true
    state: enabled
  become: true

See also: Ansible on Fedora 44: Firewalld Zone Configuration Complete Guide

Add Services

- name: Allow common services
  ansible.posix.firewalld:
    service: "{{ item }}"
    permanent: true
    immediate: true
    state: enabled
  loop:
    - http
    - https
    - ssh
    - postgresql
  become: true

Manage Zones

- name: Add interface to zone
  ansible.posix.firewalld:
    zone: internal
    interface: eth1
    permanent: true
    immediate: true
    state: enabled
  become: true

- name: Open port in specific zone
  ansible.posix.firewalld:
    zone: internal
    port: 5432/tcp
    permanent: true
    immediate: true
    state: enabled
  become: true

Rich Rules

- name: Allow SSH from specific subnet
  ansible.posix.firewalld:
    rich_rule: 'rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
    permanent: true
    immediate: true
    state: enabled
  become: true

- name: Rate limit connections
  ansible.posix.firewalld:
    rich_rule: 'rule service name="http" limit value="25/m" accept'
    permanent: true
    immediate: true
    state: enabled
  become: true

Close / Remove Rules

- name: Close unused port
  ansible.posix.firewalld:
    port: 8080/tcp
    permanent: true
    immediate: true
    state: disabled
  become: true

permanent vs immediate

ParameterEffect
permanent: trueSurvives reboot
immediate: trueTakes effect now
BothImmediate AND survives reboot
NeitherRuntime only, lost on reboot
Always use both for production rules.

firewalld vs ufw

ModuleFirewallDistros
ansible.posix.firewalldfirewalldRHEL, CentOS, Fedora
community.general.ufwufwUbuntu, Debian
ansible.builtin.iptablesiptablesAny Linux

FAQ

How do I list current rules?

- name: Show open ports
  ansible.builtin.command: firewall-cmd --list-all
  register: fw_rules
  changed_when: false

How do I reload firewalld?

- name: Reload firewalld
  ansible.builtin.command: firewall-cmd --reload
  become: true

What's the default zone?

Usually public. Check with: firewall-cmd --get-default-zone

Category: installation

Watch the video: Ansible firewalld Module: Open Firewall Ports on RHEL/CentOS (Examples) — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home