CentOS使用ansible初始化防火墻
CentOS默認(rèn)防火墻沒有激活,考慮到dmz zone默認(rèn)ssh和icmp,因此初始化將dmz設(shè)為默認(rèn)區(qū)域
這里的劇本里要ansible做的事列舉如下:
1檩赢、enable firewalld防火墻
2闪盔、設(shè)定默認(rèn)區(qū)域dmz,綁定網(wǎng)卡eth0
3障斋、允許http/https和ntp/snmp
4纵潦、重啟防火墻
劇本如下:
---
- hosts: axtestcentos
become_user: root
become: true
tasks:
# Notes:
# Use "dmz" zone and add ssh/http/https/ntp/snmp as example.
# Make dmz the default policy.
- name: Enable firewalld
service: name=firewalld state=started enabled=yes
- name: Set dmz as default policy
command: firewall-cmd --set-default-zone=dmz
- name: Add eth0 to dmz zone
command: firewall-cmd --zone=dmz --add-interface=eth0
- name: Allow http/https
command: firewall-cmd --zone=dmz --permanent --add-service=http --add-service=https
- name: Allow NTP/SNMP
command: firewall-cmd --zone=dmz --permanent --add-service=ntp --add-service=snmp
- name: Bounce firewalld
service: name=firewalld state=restarted
這里使用的是command模塊,具體命令可參考2019-03-29 CentOS防火墻firewalld使用
如果使用firewalld模塊垃环,可以參考ansbile幫助手冊(cè)的范例yaml格式
- firewalld:
service: https
permanent: true
state: enabled
- firewalld:
port: 8081/tcp
permanent: true
state: disabled
- firewalld:
port: 161-162/udp
permanent: true
state: enabled
- firewalld:
zone: dmz
service: http
permanent: true
state: enabled
- firewalld:
rich_rule: 'rule service name="ftp" audit limit value="1/m" accept'
permanent: true
state: enabled
- firewalld:
source: 192.0.2.0/24
zone: internal
state: enabled
- firewalld:
zone: trusted
interface: eth2
permanent: true
state: enabled
- firewalld:
masquerade: yes
state: enabled
permanent: true
zone: dmz
