Thursday, January 25, 2018

Configuring Firewalld on CentOS 7 with Ansible

I've been working on the configuration of a new server with Ansible; this client has CentOS servers, so I'm configuring it for the current release of CentOS 7.x, which comes with Firewalld. All of the existing playbooks are set up for iptables, which was used in earlier versions of CentOS.

I thought about rolling it back to iptables, but I decided to try using firewalld first. I hit some problems:

  • Firewalld port forwarding only supports remote traffic:
    • If I want to run Tomcat and use the firewall to forward from port 80 to the Tomcat port, then accessing http://localhost will not trigger these port forwarding rules.
    • Fortunately, you can work around that with a "direct" rule.
  • The ansible firewalld module seems immature:
    • flagged as 'preview'
    • doesn't support port forwarding
    • doesn't support direct rules
    • You can work around that by invoking `firewall-cmd` using the command module.
  • Not easy to use `firewall-cmd` in an idempotent way.
    • Firewalld is configured with commands, somewhat like iptables. You can run these commands using the command module.
    • It's not that easy to invoke these commands in Ansible in a way that lets you be properly idempotent -- only run this command or mark it changed if something has changed. As a result, these will run every time, and if you have a handler to restart the firewalld service, that will also trigger every time.
What I ended up doing is configuring firewalld with commands, then looking at the configuration files that result and instead of having the ansible playbook trigger these commands, I have the playbook copy these files into place. File copying is something that is easier to do in an idempotent way than command invocation, so I can configure Ansible to copy configuration files into place (/etc/firewall/direct.xml, /etc/firewall/zones/public.xml), and then restart firewalld if the files have changed.

That seems to be reasonably happy.

No comments:

Post a Comment