This has been on my backlog a long while and @phsmoura wanted to work on it.
This will be somewhat long, so lets go!
Background: Currently we use iptables on all our hosts. We do this because it's simple to manage for the most part and it was well supported accross fedora and rhel. However, iptables is really disappearing now. It's been replaced with nftables, but with somewhat of a compatibility mode allowing legacy iptables to keep working for now. Additionally, firewalld provides us with some advantages over iptables: ability to not care about what the backend is, ability to specify zones, better dynamic replacement, etc.
The current setup works via templates in roles/base/templates/iptables/ a few groups of things have different templates, but there's not too many. Additionally in these templates we fill in some values from hosts and group vars. Finally, we also insert some blocking rules from the ansible-private repo for external hosts.
There is an ansible firewalld module ( https://docs.ansible.com/ansible/latest/collections/ansible/posix/firewalld_module.html ) but it might be too heavy for us. We may need to look at how we can make custom firewalld config and keep using a template system. This will require some investigation. ;)
Some requirements:
There may be more I am not thinking of. :)
Login to comment on this ticket.