Automating Firewall Configuration using Ansible

Task Overview

This Task aims to automate the setup and management of firewall rules using Ansible. The automation will configure either UFW (Uncomplicated Firewall) or firewalld based on the system's firewall service, ensuring security best practices by allowing/denying specific ports and IPs.

Task Scope

1. Provisioning Firewall Services
   • Install and enable UFW for Debian-based systems or firewalld for RHEL-based systems.
   • Ensure the firewall service is enabled at boot.
2. Firewall Rule Management
   • Define rules for
   • Allowing or denying specific ports (e.g., SSH, HTTP, HTTPS, custom applications).
   • Restricting access to specific IP addresses or networks.
   • Configuring default policies (deny incoming, allow outgoing, etc.).
3. Testing and Validation
• Verify that firewall rules are applied correctly.
• Ensure no unintended access is allowed.
• Confirm firewall persistence across reboots.
4. Logging and Monitoring
• Enable logging of blocked requests.
• Verify rules via Ansible and system firewall logs.
5. Rollback Mechanism
• Implement a rollback plan to revert firewall rules in case of misconfigurations.

Technologies Used

• Ansible:Configuration management tool for automation.
• UFW (Uncomplicated Firewall)Default firewall for Debian/Ubuntu systems.
• FirewalldDefault firewall for RHEL/CentOS systems.
• YAMLFor defining Ansible playbooks.
• Bash/Shell: For manual validation.
• Linux (Ubuntu/CentOS)Target OS for firewall automation.

Task Implementation Plan

Step 1: Setup Ansible Control Node

Step 1: Setup Ansible Control Node

• Install Ansible on a control node.
• Create an inventory file defining the target servers.

[firewall_servers]
server1 ansible_host=192.168.1.100 ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/id_rsa
server2 ansible_host=192.168.1.101 ansible_user=root ansible_ssh_private_key_file=~/.ssh/id_rsa

Step 2: Create Ansible Playbook

The playbook will:

• Detect whether the target OS is Ubuntu/Debian or RHEL/CentOS.
• Install and configure the respective firewall (UFW or firewalld).
• Apply firewall rules from a predefined configuration.

Playbook: firewall_setup.yml

---
- name: Configure Firewall
  hosts: firewall_servers
  become: yes
  tasks:

    - name: Install UFW on Debian-based systems
      apt:
        name: ufw
        state: present
      when: ansible_os_family == "Debian"

    - name: Install Firewalld on RHEL-based systems
      yum:
        name: firewalld
        state: present
      when: ansible_os_family == "RedHat"

    - name: Start and enable firewall service (UFW)
      service:
        name: ufw
        state: started
        enabled: yes
      when: ansible_os_family == "Debian"

    - name: Start and enable firewall service (Firewalld)
      service:
        name: firewalld
        state: started
        enabled: yes
      when: ansible_os_family == "RedHat"

    - name: Set default policies (UFW)
      command: ufw default deny incoming
      when: ansible_os_family == "Debian"

    - name: Set default policies (Firewalld)
      command: firewall-cmd --set-default-zone=drop
      when: ansible_os_family == "RedHat"

    - name: Allow SSH (UFW)
      command: ufw allow ssh
      when: ansible_os_family == "Debian"

    - name: Allow SSH (Firewalld)
      command: firewall-cmd --permanent --add-service=ssh
      when: ansible_os_family == "RedHat"

    - name: Allow HTTP (UFW)
      command: ufw allow 80/tcp
      when: ansible_os_family == "Debian"

    - name: Allow HTTP (Firewalld)
      command: firewall-cmd --permanent --add-port=80/tcp
      when: ansible_os_family == "RedHat"

    - name: Allow HTTPS (UFW)
      command: ufw allow 443/tcp
      when: ansible_os_family == "Debian"

    - name: Allow HTTPS (Firewalld)
      command: firewall-cmd --permanent --add-port=443/tcp
      when: ansible_os_family == "RedHat"

    - name: Allow specific IP to access port 8080 (UFW)
      command: ufw allow from 192.168.1.50 to any port 8080
      when: ansible_os_family == "Debian"

    - name: Allow specific IP to access port 8080 (Firewalld)
      command: firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.50" port port="8080" protocol="tcp" accept'
      when: ansible_os_family == "RedHat"

    - name: Enable UFW
      command: ufw enable
      when: ansible_os_family == "Debian"

    - name: Reload Firewalld
      command: firewall-cmd --reload
      when: ansible_os_family == "RedHat"

    - name: Display Firewall Rules (UFW)
      command: ufw status verbose
      register: ufw_status
      when: ansible_os_family == "Debian"

    - name: Display Firewall Rules (Firewalld)
      command: firewall-cmd --list-all
      register: firewalld_status
      when: ansible_os_family == "RedHat"

    - debug:
        msg: "{{ ufw_status.stdout }}"
      when: ansible_os_family == "Debian"

    - debug:
        msg: "{{ firewalld_status.stdout }}"
      when: ansible_os_family == "RedHat"

Step 3: Execute the Playbook

Run the playbook to apply firewall rules across all target servers.

ansible-playbook -i inventory firewall_setup.yml

Step 4: Validate Firewall Configuration

For UFW:

sudo ufw status verbose

For Firewalld:

sudo firewall-cmd --list-all

Check logs for dropped packets:

sudo journalctl -xe | grep 'firewalld'
sudo dmesg | grep 'UFW'

Step 5: Implement Rollback

If a misconfiguration occurs, revert firewall settings.

Rollback Playbook: firewall_rollback.yml

---
- name: Rollback Firewall Configuration
  hosts: firewall_servers
  become: yes
  tasks:
    - name: Reset UFW
      command: ufw reset
      when: ansible_os_family == "Debian"
    
    - name: Disable Firewalld
      command: systemctl stop firewalld
      when: ansible_os_family == "RedHat"

Run Rollback Playbook

ansible-playbook -i inventory firewall_rollback.yml

Project Deliverables

• Ansible Inventory File
• Firewall Setup Playbook (`firewall_setup.yml`)
• Rollback Playbook (`firewall_rollback.yml`)
• Documentation & README

Conclusion

This project provides an automated, scalable, and secure solution for firewall management using Ansible. It ensures that firewall rules are consistently applied across multiple servers while offering logging, monitoring, and rollback mechanisms.

Next Steps

• Integrate with CI/CD pipelines to enforce firewall rules as part of infrastructure deployment.
• Expand support for additional firewall services like iptables.
• Implement alerting mechanisms using Prometheus & Grafana for blocked network traffic.