Add listening ports to firewalld with Ansible

Ansible's community.general.listen_ports_facts module finds all listening TCP and UDP ports on your system.

Posted: November 4, 2022 by Evans Amoany (Sudoer)

Man working on computer with headphones — ^{Photo by Annie Spratt on Unsplash}

Recently, I was tasked to apply CIS Benchmarks to some of my systems. Fortunately, Red Hat has some Ansible roles that make this process almost trivial.

[ Download now: A system administrator's guide to IT automation. ]

One challenge I encountered was with firewalld. One of the controls in the official CIS Ansible roles ensures that firewalld is enabled and running. However, some of my systems didn't have firewalld enabled, by design. This would mean proceeding to deploy the playbooks, which would cause applications to be inaccessible. That would be a huge cost to the organization.

After some research, I found the community.general.listen_ports_facts Ansible module, which made it possible to find all listening TCP and UDP ports. This module is based on the traditional netstat command, which is part of the net-tools package, and the newer ss command. Because I wasn't sure which systems did not have net-tools, I made sure net-tools was installed as part of the process.

My solution

My solution, which is in my Git repository, contains four tasks:

Install or upgrade the net-tools package.
Gather facts on listening ports by loading the listen_ports_facts module.
Add TCP ports listed by the listen_ports_facts to firewalld.
Display the ports added to the server.

Also, the comunity.general collection needs to be installed. If it is not installed, you can install it with:

ansible-galaxy collection install community.general

Here's the playbook:

---
- name: Add Listening TCP port to Firewalld
  hosts: localhost
  gather_facts: true
  become: true
  tasks:
   - name: Install or upgrade the net-tools package
     yum:
       name: net-tools
       state: latest

   - name: tcp ports facts
     listen_ports_facts:

   - name: Add ports to firewall
     firewalld:
       port: "{{ item }}/tcp"
       state: enabled
       immediate: true
       permanent: true
     loop: "{{ ansible_facts.tcp_listen  | map(attribute='port') | sort | list }}"
     register: ports_added_to_firewalld

   - name: print Ports Added
     debug:
       var: ports_added_to_firewalld

I added this playbook to the role, and it solved my issue.

Download now

Future improvements

One issue I've discovered is the inability to filter specific ports on each server. Any ideas are welcome as either issues or pull requests to my Git repository. I did have to remove unwanted ports from a few specific servers but, all in all, this made my process much easier!

An advanced look at demystifying Ansible for Linux sysadmins

Quick start guide to Ansible for Linux sysadmins

In this second article, you'll explore the how-to of Ansible installation.

8 steps to developing an Ansible role in Linux

In this article, an existing Ansible playbook is used to deploy Vim and convert it to a role adding flexibility and reusability.

Group of people working together on laptop

4 unexpected ways to use Ansible

Ansible can do much more than conventional IT tasks, says Jeff Geerling.

Topics: Troubleshooting Ansible

Evans Amoany

I work as Unix/Linux Administrator with a passion for high availability systems and clusters. I am a student of performance and optimization of systems and DevOps. I have passion for anything IT related and most importantly automation, high availability, and security. More about me