lab-ansible/roles/virt-common/tasks/firewall.yml

# vim: ft=yaml.ansible
# code: language=ansible
---
- name: General firewall rules
  notify: Reload firewalld
  block:
    - name: Move LAN networks to zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        source: 192.168.0.0/16
        permanent: true
        state: enabled

    - name: Move internal network to zone 'internal'
      ansible.posix.firewalld:
        zone: internal
        source: 10.2.0.0/16
        permanent: true
        state: enabled

    - name: Deny incoming connections to SSH port in default zone
      ansible.posix.firewalld:
        service: ssh
        permanent: true
        state: disabled

    - name: Allow incoming connections to SSH port in zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        service: ssh
        permanent: true
        state: enabled

- name: Firewall rules for database servers
  when: hostname in groups['dbservers']
  notify: Reload firewalld
  block:
    - name: Allow incoming connections to PostgreSQL port in zone 'internal'
      ansible.posix.firewalld:
        zone: internal
        service: postgresql
        permanent: true
        state: enabled

- name: Firewall rules for proxy servers
  when: hostname in groups['proxyservers']
  notify: Reload firewalld
  block:
    - name: Allow incoming connections to HTTP port in zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        service: http
        permanent: true
        state: enabled

    - name: Allow incoming connections to HTTPS port in zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        service: https
        permanent: true
        state: enabled

    - name: Allow incoming connections to HTTP/3 port in zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        service: http3
        permanent: true
        state: enabled