#11715 Move from iptables to firewalld
Opened 3 months ago by kevin. Modified 3 months ago

This has been on my backlog a long while and @phsmoura wanted to work on it.

This will be somewhat long, so lets go!

Background: Currently we use iptables on all our hosts. We do this because it's simple to manage for the most part and it was well supported accross fedora and rhel.
However, iptables is really disappearing now. It's been replaced with nftables, but with somewhat of a compatibility mode allowing legacy iptables to keep working for now.
Additionally, firewalld provides us with some advantages over iptables: ability to not care about what the backend is, ability to specify zones, better dynamic replacement, etc.

The current setup works via templates in roles/base/templates/iptables/ a few groups of things have different templates, but there's not too many. Additionally in these templates we fill in some values from hosts and group vars. Finally, we also insert some blocking rules from the ansible-private repo for external hosts.

There is an ansible firewalld module ( https://docs.ansible.com/ansible/latest/collections/ansible/posix/firewalld_module.html ) but it might be too heavy for us.
We may need to look at how we can make custom firewalld config and keep using a template system.
This will require some investigation. ;)

Some requirements:

  • production hosts should block all access from staging hosts, except those in the 'staging friendly' ansible group
  • hosts/groups need to be able to specify things that are not in the base setup.
  • we need some way to inject the rules from the ansible-private script. I can provide more info about that out of band.
  • There's very likely some old cruft in current iptables we can drop
  • We will need to change our kickstarts to keep firewalld installed and active when we do new installs after this lands.
  • we definitely want to be careful and land this in staging first and make sure everything is working, or do things slowly and check each.

There may be more I am not thinking of. :)

Login to comment on this ticket.