There's already a module for firewalld. Some folks, like the Fedora setup playbooks, use lokkit in their plays.
For complex installs, I still highly recommend writing a template for your iptables file (etc) and basing that on the group membership of your hosts, which is easy to do and appropriate. Drilling holes in your firewall doesn't really account for the "chained" nature of firewall rules and is a bit basic, and not always appropriate, nor does it model all they can do. Further, making the explicit choice about what you are letting through is important -- rather than letting some roles you downloaded from the internet decide. Yes, it takes an extra minute or two here or there -- but I think constructing your firewall rules via template is still worthwhile, and will make sure you are using the features you need to be using. Then it's just a "notify: restart iptables" away, and so forth. On Tue, Mar 4, 2014 at 7:59 AM, Aaron Hunter <aaron.hunt...@gmail.com>wrote: > Do the Ansible developers have plans to build a firewall module? I think > one is strongly needed. Right now we have to use a variety of kludges to > get it this to work. Firewall management is an essential sys admin task and > should be supported. > > Ansible Galaxy needs it because currently there is no standard way for a > server role to open the right ports. This means that they have to either > make up their own way or ignore it. Both of these are bad. The other CM > tools provide provide this capability so it is a standard feature. > > I think it should be a module because it spans roles. It also has a global > nature in that the handler should only run after all other roles have > finished. This is why it doesn't fit any of Ansible's current patterns. The > module should support iptables and, at least, Red Hat and SUSE (the two > commercial distros). > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-project+unsubscr...@googlegroups.com. > To post to this group, send email to ansible-project@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/f4a14f65-f3d9-4940-b51b-b9bd7f5cae47%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEVJ8QOxMsgBMMFPA%2BaMGdsNQz9cx_Tye%2BaNzGUuGHsqeDWmzg%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
