防火墙模块
firewalld 模块
- State 指防火墙策略状态enable disable present absent
- service 指定服务
- immediate 立即启用
- port 端口 port=80/tcp
- permanent 永久生效
示例
首先开启防火墙
[root@master ~]# ansible webservers -m service -a 'name=firewalld state=started enabled=true'
1、允许http服务
[root@master ~]# ansible webservers -m firewalld -a 'service=http permanent=true immediate=true state=enabled'
2、允许端口
[root@master ~]# ansible webservers -m firewalld -a 'port=80/tcp permanent=true immediate=true state=enabled'
3、富规则
[root@master ~]# ansible webservers -m firewalld -a 'rich_rule="rule family=ipv4 source address=192.168.150.0/24 service name=http accept" permanent=true immediate=true state=enabled'
4、端口转发
[root@master ~]# ansible webservers -m firewalld -a 'rich_rule="rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443" permanent=true immediate=true state=enabled'
5、masquerade
[root@master ~]# ansible webservers -m firewalld -a 'mquerade=yes
selinux模块
功能:管理远端主机的 SELINUX 防火墙;
- state Selinux模式:enforcing、permissive、disabled
- policy targeted
示例
1.设置 selinux 为 enforcing
[root@xuzhichao ~]# ansible 192.168.20.23 -m selinux -a 'state=enforcing policy=targeted' [root@nginx03 ~]# grep "^SELINUX" /etc/selinux/config SELINUX=enforcing SELINUXTYPE=targeted
2.设置 selinux 为 disabled:
[root@xuzhichao ~]# ansible 192.168.20.23 -m selinux -a 'state=disabled' [root@nginx03 ~]# grep "^SELINUX" /etc/selinux/config SELINUX=disabled SELINUXTYPE=targeted
sefcontext模块
受控主机缺少依赖policycoreutils-python
[root@server ~]# ansible node1 -m yum -a 'name=policycoreutils-python-utils-2.9-16.el8.noarch state=installed' [root@server ~]# ansible node1 -m sefcontext -a 'target=/www setype=httpd_sys_content
