"Lab - Modules - Firewalls Rules" in the Ansible Certification Prep Course

In the lab’s third exercise we’re tasked:

We want to block 161/udp port on web1 node permanently. Make a playbook block.yml under ~/playbooks/ directory to do so.

Use zone: block

The solution is given as:

thor@ansible-controller ~/playbooks$ cat /tmp/hassets/answers/block.yml

  • hosts: web1
    tasks:
    • firewalld:
      port: 161/udp
      zone: block
      permanent: yes
      immediate: yes
      state: enabled

However, according to the latest Ansible documentation for the ‘firewalld’ module at:

https://docs.ansible.com/ansible/latest/modules/firewalld_module.html

It’s stated that:

state

string / required Choices:

  • absent
  • disabled
  • enabled
  • present

Enable or disable a setting.
For ports: Should this port accept (enabled) or reject (disabled) connections.
The states present and absent can only be used in zone level operations (i.e. when no other parameters but zone and state are set).

So, according to the documentation it would seem that if we want to block the port per the task instructions then the state should be set to disabled, not enabled.as it’s set in the solution. (I couldn’t get my solution to validate given I had my state set to “disabled”.)

Great course by the way! :slight_smile:

Hello @CalicoCat,

state: Enable or disable a setting. are used in case of zone level operation.
zone: The public is the default zone.
Let me explain the solution to you:

hosts: web1  
tasks:    
    - firewalld:
        port: 161/udp
        zone: block        
        permanent: yes
        immediate: yes
        state: enabled

Here we specified a zone which the rule will be added and specify the state for rule whether the rule should be added or not.
The state is enabled but in the block zone so will block 161/udp port.