I thought about rolling it back to iptables, but I decided to try using firewalld first. I hit some problems:
- Firewalld port forwarding only supports remote traffic:
- If I want to run Tomcat and use the firewall to forward from port 80 to the Tomcat port, then accessing http://localhost will not trigger these port forwarding rules.
- Fortunately, you can work around that with a "direct" rule.
- The ansible firewalld module seems immature:
- flagged as 'preview'
- doesn't support port forwarding
- doesn't support direct rules
- You can work around that by invoking `firewall-cmd` using the command module.
- Not easy to use `firewall-cmd` in an idempotent way.
- Firewalld is configured with commands, somewhat like iptables. You can run these commands using the command module.
- It's not that easy to invoke these commands in Ansible in a way that lets you be properly idempotent -- only run this command or mark it changed if something has changed. As a result, these will run every time, and if you have a handler to restart the firewalld service, that will also trigger every time.
What I ended up doing is configuring firewalld with commands, then looking at the configuration files that result and instead of having the ansible playbook trigger these commands, I have the playbook copy these files into place. File copying is something that is easier to do in an idempotent way than command invocation, so I can configure Ansible to copy configuration files into place (/etc/firewall/direct.xml, /etc/firewall/zones/public.xml), and then restart firewalld if the files have changed.
That seems to be reasonably happy.
No comments:
Post a Comment