Allow HTTP(S) for public zone

2023-12-28 21:04:33 +01:00 · 2023-12-28 21:04:33 +01:00 · fa0d70732d
parent 13604759a1
commit fa0d70732d
1 changed files with 17 additions and 7 deletions
--- a/roles/virt-common/tasks/firewall.yml
+++ b/roles/virt-common/tasks/firewall.yml
@ -18,8 +18,9 @@
        permanent: true
        state: enabled

-    - name: Deny incoming connections to SSH port in default zone
+    - name: Deny incoming connections to SSH port in zone 'public'
      ansible.posix.firewalld:
+        zone: public
        service: ssh
        permanent: true
        state: disabled
@ -46,23 +47,32 @@
  when: hostname in groups['proxyservers']
  notify: Reload firewalld
  block:
-    - name: Allow incoming connections to HTTP port in zone 'dmz'
+    - name: Allow incoming connections to HTTP port in zones 'public' and 'dmz'
      ansible.posix.firewalld:
-        zone: dmz
+        zone: "{{ item }}"
        service: http
        permanent: true
        state: enabled
+      loop:
+        - public
+        - dmz

-    - name: Allow incoming connections to HTTPS port in zone 'dmz'
+    - name: Allow incoming connections to HTTPS port in zones 'public' and 'dmz'
      ansible.posix.firewalld:
-        zone: dmz
+        zone: "{{ item }}"
        service: https
        permanent: true
        state: enabled
+      loop:
+        - public
+        - dmz

-    - name: Allow incoming connections to HTTP/3 port in zone 'dmz'
+    - name: Allow incoming connections to HTTP/3 port in zones 'public' and 'dmz'
      ansible.posix.firewalld:
-        zone: dmz
+        zone: "{{ item }}"
        service: http3
        permanent: true
        state: enabled
+      loop:
+        - public
+        - dmz