search

ansible-collections / ansible.posix

Ansible Collection for Posix
Other
155 stars 149 forks source link

firewalld: Support policy objects #284

Open klausenbusk opened 2 years ago

klausenbusk commented 2 years ago
SUMMARY

Firewalld supports "Policy Objects" since v0.9.0:

With some exceptions (e.g. masquerade, forward-ports) firewalld was previously limited to being an end-station firewall. This meant you could not use it to filter traffic flowing between virtual machines, containers, and zones. A subset of that functionality was available by using the direct interface and writing your own iptables rules, but it wasn’t a great user experience.

What is needed is a way to apply a policy for traffic flowing between zones. Then the user can attach firewalld’s primitives: services, ports, rich rules, etc. to the policy. The end result is something that provides a very similar user interface to zones, but is much more powerful.

Source: https://firewalld.org/2020/09/policy-objects-introduction

ISSUE TYPE
COMPONENT NAME

firewalld

ADDITIONAL INFORMATION

Two informative blog posts:

Our use-case is similar to the latter blog post (traffic between virtual machines and Wireguard tunnels).

- name: create foo policy
  firewalld: policy=foo permanent=yes state=present
  register: result

- name: reload firewalld
  service: name=firewalld state=reloaded
  when: result.changed

- name: set ingress zone for the foo policy
  firewalld: policy=foo ingress_zone=public permanent=yes immediate=yes state=enabled

- name: set egress zone for the foo policy
  firewalld: policy=foo egress_zone=public permanent=yes immediate=yes state=enabled
saito-hideki commented 2 years ago

Hi @klausenbusk Thank you for reporting this feature request!

benblasco commented 2 years ago

I don't have the development skills for this feature, but would be very happy to contribute to the documentation. If anybody wants to collaborate on this, please let me know!

ziegenberg commented 2 years ago

Hi @vrindle, almost a year ago you announced in https://github.com/ansible-collections/ansible.posix/issues/249#issuecomment-899577467 replacing the Ansible Posix Firewalld module with the current module in the Firewalld system role. Is this going to happen? I'm looking forward to implementing a fix for this issue, but I would not want to code stuff, that is going out the window soon.

Both, the current module in the Firewalld system role and the Ansible Posix Firewalld module are missing support for policy objects at the moment.

ziegenberg commented 2 years ago

There are also a couple of open PRs (#160, #249, #320) regarding the firewall module. Are they going to be merged soon?