How to change Firewalld zone using Ansible?

Question

When I run this it says successful but the default interface is still set to public zone. What gives?

- firewalld:
    zone: public
    interface: "{{ ansible_default_ipv4.interface }}"
    permanent: true
    immediate: true
    state: disabled

- firewalld:
    zone: trusted
    interface: "{{ ansible_default_ipv4.interface }}"
    permanent: true
    immediate: true
    state: enabled

Have you tried the other way around, putting the interface first in `trusted` then removing it from `public`. — Baptiste Mille-Mathias, Jul 27 '18 at 19:00
yes I tried it both ways. I also tried without removing public and just making it trusted and it wouldn't work that way either. — Ozfer, Jul 27 '18 at 19:04

score 3 · Answer 1 · answered Aug 03 '22 at 13:34

Following on from the answer from hillsy, to avoid Ansible reporting a change when the default zone is already set to the zone you're setting:

- name: Set default zone to 'public'
  ansible.builtin.command: firewall-cmd --set-default-zone=public
  register: default_zone_set
  changed_when:
    - '"ZONE_ALREADY_SET" not in default_zone_set.stderr'

score 2 · Answer 2 · answered May 09 '19 at 10:55

I don't think the firewalld module supports setting the default zone as such. The docs say zone is:

The firewalld zone to add/remove [the rule] to/from

Also:

Zone transactions (creating, deleting) can be performed by using only the zone and state parameters “present” or “absent”.

I take that to mean you can create/delete zones and add/remove rules in them, but not set a zone as default. This is consistent with behaviour I've seen using similar config to the OP.

I now set the default zone in Ansible config using the command module e.g.

- name: Set dmz as default policy
  command: firewall-cmd --set-default-zone=dmz

score -1 · Answer 3 · answered Jul 27 '18 at 18:39

-1

after running this, have you reloaded firewalld to take the effects? all I see from the tasks is that you disable and enable it. You can also add handlers to restart the service after is completed https://docs.ansible.com/ansible/latest/user_guide/playbooks_intro.html#handlers-running-operations-on-change. You should also try running with -vvv to see the output and see if it does what you expect.

answered Jul 27 '18 at 18:39

jlozadad

11
5

I run -vvv and it says successful/changed. The immediate flag should make it not need to be reloaded but I also reload it farther down so it is reloaded. "Permanent and Non-Permanent(immediate) operation, Changed (interface) to zone trusted"} – Ozfer Jul 27 '18 at 18:43
so if you reloaded in the bottom then how does it look like the target host? use a pastebin to put the logs so its easier to read. – jlozadad Jul 27 '18 at 18:51
It applies all settings to public instead of trusted and public is set as the active interface. – Ozfer Jul 27 '18 at 18:54
read the notes on the module docs ` This is a limitation in firewalld. This also means that you will have to reload firewalld after adding a zone that you wish to perfom immediate actions on. The module will not take care of this for you implicitly because that would undo any previously performed immediate actions which were not permanent. Therefor, if you require immediate access to a newly created zone it is recommended you reload firewalld immediately after the zone creation returns with a changed state and before you perform any other immediate, nonpermanent actions on that zone. ` – jlozadad Jul 27 '18 at 19:10
saying "doesn't work" does not give us enough details to troubleshoot it more. You should show all the playbook/roles and everything your doing with -vvvv logs in a pastebin so its easier to troubleshoot. Have you also checked to see if its a bug? what version of ansible? – jlozadad Jul 27 '18 at 19:14
Ansible 2.4.2. It literally says "Permanent and Non-Permanent(immediate) operation, Changed (interface) to zone trusted"}. I don't know if this is a bug. – Ozfer Jul 27 '18 at 19:22

How to change Firewalld zone using Ansible?

3 Answers3