Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Options for applying rules to firewalld zones? #280

Closed
dguertin opened this issue May 2, 2023 · 2 comments
Closed

Options for applying rules to firewalld zones? #280

dguertin opened this issue May 2, 2023 · 2 comments
Labels
Feature Request Enhancement to existing functionality or new functionality

Comments

@dguertin
Copy link

dguertin commented May 2, 2023

🗣️ Foreword

Thank for taking the time to fill this feature request fully. Without it we may not be able to , and the issue may be closed without resolution.

:person_frowning: Problem Statement

I've recently begun trying to apply this cookbook after coming from the now-defunct firewalld cookbook, and am getting confounded by the application of rules to firewalld zones. I have a rather complicated zone that encompasses a collection of IP ranges and netmasks, for which I want to apply most of my rules. Any standard rule or rich rule I apply using the firewalld_zone resource overwrites any existing rules. And if I use the simpler approach of using the firewall_rule resource, I need to specify the source for each rule, and with many rules and many sources for each one, that gets unwieldy.

❔ Possible Solution

It would be nice to be able to either:

  1. In the firewall_rule resource, specify a firewalld zone instead of an array of IP addresses/ranges; or
  2. In the firewalld_zone resource, specify a rule or rich rule that does not overwrite any existing rules for that zone.

Or is there a completely different and better approach to this that I'm missing?
@dguertin dguertin added the Feature Request Enhancement to existing functionality or new functionality label May 2, 2023
@a7b81a9086
Copy link
Contributor

Note that I am not responsible for the firewall_rule-implementation for firewalld, I just added all the firewalld_* resources.

Your assumptions however, are correct. There is currently no way of adding rules in the firewalld_zone-resource, without deleting all the other rules in it. Since the dbus-interface of firewalld has a method called addRichRule, that allows adding a rich rule to a zone, it should not be that much work to add this functionality.

I currently do not have that much spare time, so it may take some time for me to do it.

As a workaround, I can only suggest to specify an array of rich rules as argument to the rules_str-property of the firewalld_zone-resource.

@decoyjoe
Copy link
Contributor

decoyjoe commented Jan 3, 2025

This was fixed in #304 (cc: @bmhughes).

  1. In the firewall_rule resource, specify a firewalld zone instead of an array of IP addresses/ranges; or

The firewall_rule resource was updated to use firewalld rich rules under the hood and now provides a zone property to specify the zone in which to add the rule. See the firewall_rule docs for more info.

  1. In the firewalld_zone resource, specify a rule or rich rule that does not overwrite any existing rules for that zone.

There is now a firewalld_rich_rule resource that allows you to add rich rules in an ad-hoc manner. Using this resource you can add individual rules to a zone without disturbing any of the other existing rich rules in the zone.

@decoyjoe decoyjoe mentioned this issue Jan 3, 2025
Merged
3 tasks
@bmhughes bmhughes closed this as completed Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Request Enhancement to existing functionality or new functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dguertin @bmhughes @decoyjoe @a7b81a9086