I have a mixed Ubuntu 16.04/Ubuntu 18.04 based infrastructure and would like to set up and configure firewalld
on hosts. I am going to use an Ansible role for that (I have a Vagrant-based setup to test the Ansible role).
When I run Ansible playbooks a freshly installed firewalld
blocks incoming connections by default although I never specified this explicitly:
[ 2161.574030] FINAL_REJECT: IN=enp0s8 OUT= MAC=08:00:27:f9:00:46:0a:00:27:00:00:00:08:00 SRC=172.16.137.1 DST=172.16.137.182 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=36677 DF PROTO=TCP SPT=35098 DPT=455 WINDOW=29200 RES=0x00 SYN URGP=0
[ 4717.718425] FINAL_REJECT: IN=enp0s8 OUT= MAC=08:00:27:f9:00:46:0a:00:27:00:00:00:08:00 SRC=172.16.137.1 DST=172.16.137.182 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=55673 DF PROTO=TCP SPT=47624 DPT=456 WINDOW=29200 RES=0x00 SYN URGP=0
[ 4719.682792] FINAL_REJECT: IN=enp0s8 OUT= MAC=08:00:27:f9:00:46:0a:00:27:00:00:00:08:00 SRC=172.16.137.1 DST=172.16.137.182 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=60255 DF PROTO=TCP SPT=43836 DPT=457 WINDOW=29200 RES=0x00 SYN URGP=0
[ 4721.358343] FINAL_REJECT: IN=enp0s8 OUT= MAC=08:00:27:f9:00:46:0a:00:27:00:00:00:08:00 SRC=172.16.137.1 DST=172.16.137.182 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42733 DF PROTO=TCP SPT=51850 DPT=458 WINDOW=29200 RES=0x00 SYN URGP=0
Is it possible somehow to start firewalld
in a permissive mode then configure everything and then apply the configuration in one shot?
Recently I converted some Ubuntu boxes from ufw to firewalld, and I use Ansible pretty much exclusively, so I also ran into a bit of this.
First, you should know that out of the box firewalld blocks most incoming traffic. In the default configuration on Ubuntu, no interfaces or sources are attached to any zone, so firewalld considers all traffic to be part of the
public
zone. This zone permits only incoming ssh and DHCP client response traffic.There are a couple of ways you can handle this.
In my own Ansible playbooks and roles, I configure firewalld rules along with each service. So, I have a role that installs nginx, and that role also opens the http and https services in firewalld. So, as soon as the web server is installed and running, the firewall is also ready to go. When I converted from ufw to firewalld, I just re-ran the whole playbook and only the ufw and firewalld stuff changed.
If you are doing a one-off and have a lot of ports to open, or some other complex configuration, you might want to open the ports in firewalld on a scratch VM, and then grab the resulting XML file for that zone from the
/etc/firewalld/zones
directory. You can thencopy:
that file to any system and restart firewalld to have it use the corresponding configuration.