Firewalld is the userland interface to dynamically managing a Linux firewall, introduced in Fedora 15 and Centos/RHEL 7.
This firewalld
cookbook provides three resources for adding and removing services, ports, and rules.
The firewalld_interface
resource will add a network interface to a zone for the current and permanent configurations. The interface name is a string that should match a network interface on the system. If zone is omitted, default zone will be used.
:add
- add the interface to the current and permanent configuration.:change
- change the interface to the current and permanent configuration. (default):remove
- remove the interface from the current and permanent configuration.
Attribute | Description | Example | Default |
---|---|---|---|
interface | (name attribute) the interface to manage | em1 | |
zone | firewalld zone to add or remove interface from |
public | (none, uses default zone) |
Default action, :change
, associates an interface with a firewall zone:
firewalld_interface 'em1'
This will associate the interface em1 with the default zone.
Add the interface to zone. If zone is omitted, default zone will be used.
firewalld_interface 'em1' do
action :add
zone 'internal'
end
Add the interface to zone, and remove it from any other zones it may be associated with. If zone is omitted, default zone will be used.
firewalld_interface 'em1' do
action :change
zone 'internal'
end
Remove the interface from zone. If zone is omitted, default zone will be used.
firewalld_interface 'em1' do
action :remove
zone 'internal'
end
The firewalld_rich_rule
resource allows you to create complex rules directly onto the firewall. It will load the rule into the running config and pass it to firewalld
with the --permanent
flag, to persist it after a reload.
:add
- add the rich rule to the current and permanent configuration:remove
- remove the rich rule from the current and permanent configuration
The attributes for rich_rule
map directly to the firewall-cmd (1)
command-line parameters. More can be read here: Complex Firewall Rules with Rich Language and firewalld.richlanguage (5).
Attribute | Description | Example | Default |
---|---|---|---|
name | (name attribute) The name of the resource. This is not passed to firewall-cmd . |
ssh_add | |
zone | firewalld zone to add or remove port from |
public | (none, uses default zone) |
family | IP family. Choice of 'ipv4' or 'ipv6'. | ipv6 | ipv4 |
source_address | Limits the origin of a connection attempt to a specific range of IPs. | 192.168.100.5/32 | (none, not limited) |
destination_address | Limits the target of a connection attempt to a specific range of IPs. | 192.168.100.5/32 | (none, not limited) |
service_name | The service name is one of the firewalld provided services. To get a list of the supported services, use firewall-cmd --get-services . |
ssh | |
port_number | Can be a single integer or a port range, for example '5060-5062'. The protocol can be specified. Requires that port_protocol attribute be specified also. |
5060 | |
port_protocol | The protocol for the specified port, can be 'tcp' or 'udp'. Requires that port_number attribute be specified also. |
tcp | |
log_prefix | Logs new connection attempts with kernel logging. This will prepend the log lines with this prefix. | ssh | |
log_level | Can be one of 'emerg', 'alert', 'error', 'warning', 'notice', 'info', or 'debug'. | info | |
limit_value | Limits the rate at which logs are written. | 1/m | 1/m - one write per minute |
firewall_action | Can be one of 'accept', 'reject', or 'drop'. This is the behavior by which all traffic that matches the rule will be handled. | accept |
# This opens the ssh service to ip `192.168.100.5` and logs at a rate of
# 1 entry per minute with a prefix of ssh on each log entry.
#
firewalld_rich_rule "ssh_add" do
zone 'public'
family 'ipv4'
source_address '192.168.100.5/32'
service_name 'ssh'
log_prefix 'ssh'
log_level 'info'
limit_value '1/m'
firewall_action 'accept'
action :add
end
The firewalld_service
resource will add the service for a zone to the current and permanent configurations. The service name is one of the firewalld
provided services. To get a list of the supported services, use firewall-cmd --get-services
. If zone is omitted, default zone will be used.
:add
- add the service to the current and permanent configuration:remove
- remove the service from the current and permanent configuration
Attribute | Description | Example | Default |
---|---|---|---|
service | (name attribute) the service to manage | http | |
zone | firewalld zone to add or remove service from |
public | (none, uses default zone) |
Default action adds a service to the firewall:
firewalld_service 'http'
This will allow access to the http service in the default zone.
Add the service to zone. If zone is omitted, default zone will be used.
firewalld_service 'tftp' do
action :add
zone 'public'
end
Removes the service from zone. If zone is omitted, default zone will be used.
firewalld_service 'telnet' do
action :remove
zone 'public'
end
The firewalld_port
resource will add the port for a zone to the current and permanent configurations. If zone is omitted, default zone will be used.
:add
- add the port to the current and permanent configuration:remove
- remove the port from the current and permanent configuration
Attribute | Description | Example | Default |
---|---|---|---|
port | (name attribute) the port to manage | 993/tcp | |
zone | firewalld zone to add or remove port from |
public | (none, uses default zone) |
Default action adds a port to the firewall:
firewalld_port '993/tcp'
This will allow access to TCP port 993 in the default zone.
Add the port to zone. If zone is omitted, default zone will be used.
firewalld_port '993/tcp' do
action :add
zone 'public'
end
Removes the port from zone. If zone is omitted, default zone will be used.
firewalld_port '993/tcp' do
action :remove
zone 'public'
end
The firewalld_zone
resource will add a firewalld zone for current and permanent configurations.
:create
- Default. Use to create a zone. If a zone already exists (but does not match), use to update that zone to match.:create_if_missing
- Use to create a zone only if the zone does not exist.:delete
- Use to delete a zone.
Attribute | Description | Example | Default |
---|---|---|---|
zone | (name attribute) the zone name manage | external | |
default | Use to make zone the default zone. | true | nil |
target | Default firewall target. May be one of "default", "ACCEPT", "DROP", or "%%REJECT%%". | ACCEPT | default |
Default action, :change
, associates an interface with a firewall zone:
firewalld_source '192.168.100.0/24'
This will associate the source IP address range "192.168.100.0/24" with the default zone.
Add the source to zone. If zone is omitted, default zone will be used.
firewalld_source '192.168.0.0/24' do
action :add
zone 'internal'
end
Add the source to zone, and remove it from any other zones it may be associated with. If zone is omitted, default zone will be used.
firewalld_source '192.168.0.0/24' do
action :change
zone 'internal'
end
Remove the interface from zone. If zone is omitted, default zone will be used.
firewalld_interface '192.168.0.0/24' do
action :remove
zone 'internal'
end
The firewalld_source
resource will add a source network address range to a zone for the current and permanent configurations. The source name is a network address in CIDR notation such as "192.168.100.0/24". If zone is omitted, default zone will be used.
:add
- add the source to the current and permanent configuration.:change
- change the source to the current and permanent configuration. (default):remove
- remove the source from the current and permanent configuration.
Attribute | Description | Example | Default |
---|---|---|---|
source | (name attribute) the network subnet specification manage | em1 | |
zone | firewalld zone to add or remove source from |
public | (none, uses default zone) |
Default action, :create
, creates or updates a zone:
firewalld_zone 'database'
This will create a new firewalld zone called "database".
Create or update the zone.
firewalld_zone 'secure' do
action :create
target 'DROP'
default true
end
Create the zone only if it does not exist.
firewalld_zone 'database' do
action :create_if_missing
target 'DROP'
end
Delete the zone.
firewalld_zone 'secure' do
action :delete
end
The firewalld_masquerade
resource will add the masquerading option to a zone. If zone is omitted, default zone will be used. This is equivalent to firewall-cmd --zone=public --add-masquerade
or firewall-cmd --zone=public --remove-masquerade
.
:add
- add the masquerade option to the current and permanent configuration. (default):remove
- remove the masquerade option from the current and permanent configuration.
Attribute | Description | Example | Default |
---|---|---|---|
zone | firewalld zone to add or remove masquerade |
public | (none, uses default zone) |
Default action, :add
, adds the masquerade option to a zone:
firewalld_masquerade 'public'
This will add the masquerade option to the "public" firewalld zone.
Add masquerade to a zone.
firewalld_masquerade 'add masquerading to public zone' do
action :add
zone 'public'
end
Remove masquerade from a zone.
firewalld_masquerade 'remove masquerading from public zone' do
action :remove
zone 'public'
end
- default - installs and enables
firewalld
. - disable - disable
firewalld
and useiptables
ifnode[:firewalld][:iptables_fallback]
is set. - enable - revert to
firewalld
ifnode[:firewalld][:iptables_fallback]
is set.
If you're using Berkshelf, just add firewalld
to your
Berksfile
and metadata.rb
:
# Berksfile
cookbook 'firewalld'
# metadata.rb
depends 'firewalld'
- Fork the project
- Create a feature branch corresponding to you change
- Commit and test thoroughly
- Create a Pull Request on github
- Author:: Jeff Hutchison jeff@jeffhutchison.com
- Author:: Manuel Toledo mtoledo@adobe.com
- Author:: Johnathan Kupferer jtk@uic.edu
Copyright 2015, Jeff Hutchison
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.