- hosts: web1
tasks:
- yum:
name: firewalld
state: installed
- service:
name: firewalld
state: started
---
- hosts: web1
tasks:
- firewalld:
source: 172.1.1.1
state: enabled
zone: internal
permanent: yes
immediate: yes
- hosts: web1
tasks:
- firewalld:
port: 161/udp
zone: block
permanent: yes
immediate: yes
state: enabled
To verify, SSH to web1 server and run the following command:-
firewall-cmd --list-ports --zone=block
On web1 node add firewall rule in internal zone to enable https connection from Ansible controller machine and make sure that rule must persist even after system reboot.
- hosts: web1
tasks:
- name: Enable HTTPS for ansible controller
firewalld:
source: 172.1.1.2. ; Ansible controller machine
service: https
zone: internal
state: enabled
permanent: yes
- service:
name: firewalld
state: reloaded
You have a playbook ~/playbooks/web2-config.yml, it has some existing code to change apache's default port 80 to port 8082 as we want to run Apache on port 8082 on web2 node. Make some changes as given below before running the playbook.
A. Add an entry in ~/playbooks/inventory for web2 node, IP address of web2 node is 172.1.1.3 and ssh password and username are same as of web1 (username = root and password = Passw0rd).
B. Update web2-config.yml to install httpd before updating its port in config, also start/enable its service.
C. Install firewalld package and start/enable its service.
D. As now Apache will listen on port 8082 so edit the playbook to add firewall rule in public zone so that Apache can allow all incoming traffic.
---
- hosts: web2
tasks:
- name: Install pkgs
yum:
name: httpd, firewalld
state: present
- name: Start/Enable services
service:
name: "{{ item }}"
state: started
enabled: yes
with_items:
- httpd
- firewalld
- name: Change Apache port
replace:
path: /etc/httpd/conf/httpd.conf
regexp: "Listen 80"
replace: "Listen 8082"
- name: restart Apache
service:
name: httpd
state: restarted
- name: Add firewall rule for Apache
firewalld:
port: 8082/tcp
zone: public
permanent: yes
state: enabled
immediate: true