How to reload Firewalld service using Ansible?

ansible centos daemon firewalld

14,473

Solution 1

First of all use with_items for list of ports as below:

- name: Add port to firewalld
  firewalld:
    port: "{{ item }}"
    permanent: yes
    state: enabled
  when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
  loop:
    - 8080/tcp
    - 8000/tcp
    - 8090/tcp
    - 8040/tcp

You can also use the below code to enter ports if they are not fixed and use its as a variable:

- hosts: localhost
  gather_facts: no
  vars_prompt:
    - name: ports
      prompt: "Enter port(s) number"
      private: no
  tasks:
    - name: add port
      firewalld:
            service: "{{ item }}"
            permanent: yes
            immediate: yes
            state: enabled
      with_items: "{{ ports.split(',') }}"

and regarding reloading firewalld its mentioned here we can't reload firewalld using state parameter So use systemd module as below:

- name: reload service firewalld
  systemd:
    name: firewalld
    state: reloaded

Solution 2

firewalld module has immediate option which is performing the same reload within firewall-cmd cli tool.

- name: Add port to firewalld
  firewalld:
    port: "{{ item }}"
    permanent: yes
    state: enabled
    immediate: true

Solution 3

You can use service or systemd module.

#Supports init systems include BSD init, OpenRC, SysV, Solaris SMF, systemd, upstart.
- name: Restart service 
  service:
    name: firewalld
    state: restarted

#Controls systemd services on remote hosts.
- name: Restart service 
  systemd:
    state: restarted
    daemon_reload: yes
    name: firewalld

Solution 4

I'm a bit late but given that all previous answers seem to just speculate I will give another input. Firewalld is not reloaded with 'service' or 'systemctl' commands but rather with it's own specific command:

firewall-cmd --reload

This is because that way you can load new rules without interrupting any active network connections as would be the case when using iptables directly. Given this I think using service or systemctl is not a good solution. So if you just want to create a task I suggest using the command module from ansible to execute this command. Or you could write a handler like so:

- name: reload firewalld
  command: firewall-cmd --reload

Just put the handler in the handlers/main.yml file inside your role. Then in your tasks you can call that handler with:

notify: reload firewalld

That way Ansible only executes the handler at the end of your Ansible run. I successfully tested this on RHEL7.

View more solutions

14,473

Author by

Ali

I'm an IT man usually deal with networks, physical, logical or even in the clouds!

Updated on June 17, 2022

Comments

Ali almost 2 years

I added some rule to firewalld in centos 7 with ansible. But I must reload firewalld daemon thus service work properly. Is there any idea?

Here is my ansible code:

- name: Add port to firewalld
  firewalld:
    port: "{{ item }}"
    permanent: yes
    state: enabled
  when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
  loop:
    - 8080/tcp
    - 8000/tcp
    - 8090/tcp
    - 8040/tcp