CentOS使用ansible初始化防火墙
CentOS默认防火墙没有激活,考虑到dmz zone默认ssh和icmp,因此初始化将dmz设为默认区域
这里的剧本里要ansible做的事列举如下:
1、enable firewalld防火墙
2、设定默认区域dmz,绑定网卡eth0
3、允许http/https和ntp/snmp
4、重启防火墙
剧本如下:
---
- hosts: axtestcentos
become_user: root
become: true
tasks:
# Notes:
# Use "dmz" zone and add ssh/http/https/ntp/snmp as example.
# Make dmz the default policy.
- name: Enable firewalld
service: name=firewalld state=started enabled=yes
- name: Set dmz as default policy
command: firewall-cmd --set-default-zone=dmz
- name: Add eth0 to dmz zone
command: firewall-cmd --zone=dmz --add-interface=eth0
- name: Allow http/https
command: firewall-cmd --zone=dmz --permanent --add-service=http --add-service=https
- name: Allow NTP/SNMP
command: firewall-cmd --zone=dmz --permanent --add-service=ntp --add-service=snmp
- name: Bounce firewalld
service: name=firewalld state=restarted
这里使用的是command模块,具体命令可参考2019-03-29 CentOS防火墙firewalld使用
如果使用firewalld模块,可以参考ansbile帮助手册的范例yaml格式
- firewalld:
service: https
permanent: true
state: enabled
- firewalld:
port: 8081/tcp
permanent: true
state: disabled
- firewalld:
port: 161-162/udp
permanent: true
state: enabled
- firewalld:
zone: dmz
service: http
permanent: true
state: enabled
- firewalld:
rich_rule: 'rule service name="ftp" audit limit value="1/m" accept'
permanent: true
state: enabled
- firewalld:
source: 192.0.2.0/24
zone: internal
state: enabled
- firewalld:
zone: trusted
interface: eth2
permanent: true
state: enabled
- firewalld:
masquerade: yes
state: enabled
permanent: true
zone: dmz
