How to create a policy for firewalld with the rhel-system-roles.firewall role?

Hello guys,

So on rocky 9, in order to have NAT working for a typical internet gateway, a firewalld policy as to be configured, like this example:

firewall-cmd --permanent --new-policy policy_int_to_ext
firewall-cmd --permanent --policy policy_int_to_ext --add-ingress-zone internal
firewall-cmd --permanent --policy policy_int_to_ext --add-egress-zone external
firewall-cmd --permanent --policy policy_int_to_ext --set-priority 100
firewall-cmd --permanent --policy policy_int_to_ext --set-target ACCEPT
firewall-cmd --reload

I am trying to configure a firewall with the rhel-system-roles.firewall ansible role. Can do everything except adding that policy. I’m trying like this:

    - rhel-system-roles.firewall
    - firewall:
      - { policy: int_to_ext,
          ingress-zone: internal,
          egress-zone: external,
          priority: 100,
          target: ACCEPT,
          state: enabled }

But the policy does not get installed/configured. Any ideas? Many thanks in advance for any tip on this.

The FirewallD support for policy objects is quite new.
The system role does not seem to support those yet.
(The does not support all scenarios either.)

I tried to set up port forwarding on el9 last week. Utterly failed with FirewallD, so banished it. I have now a hand-crafted nftables ruleset that I drop in with ansible.builtin.copy.

Yeah, there is always the old fashioned way. I’ll also use the copy module to copy the .xml file then.

Deploy it directly via xml (hand-crafted before and templated via ansible):

- name: "FIREWALL ROUTING | Install policy files"
      src: "{{ item.src }}"
      dest: "{{ item.dest }}"
      mode: "{{ item.mode }}"
      owner: root
      group: root
      force: true
      backup: true
      - src: "firewalld/policies-NAT_int_to_ext.xml-{{ inventory_hostname }}"
        dest: "/etc/firewalld/policies/NAT_int_to_ext.xml"
        mode: "0644"
1 Like