HeliumOS-org
diff --git a/‎files/usr/lib/firewalld/zones/HeliumOS.xml‎
Lines changed: 0 additions & 11 deletions b/‎files/usr/lib/firewalld/zones/HeliumOS.xml‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎tasks/base/firewall.yaml‎
Lines changed: 21 additions & 6 deletions b/‎tasks/base/firewall.yaml‎
Lines changed: 21 additions & 6 deletions
@@ -4,9 +4,24 @@
       - firewall-config
     state: present
 
-- name: Set Firewall Default Zone
-  shell:
-    cmd: |
-      sed -i \
-        's,DefaultZone=public,DefaultZone=HeliumOS,g' \
-        /etc/firewalld/firewalld.conf
+- name: Add firewalld zone for HeliumOS
+  ansible.builtin.copy:
+    content: |
+      <?xml version="1.0" encoding="utf-8"?>
+      <zone>
+        <short>HeliumOS</short>
+        <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+        <service name="dhcpv6-client"/>
+        <service name="ssh"/>
+        <service name="samba-client"/>
+        <port protocol="udp" port="1025-65535"/>
+        <port protocol="tcp" port="1025-65535"/>
+        <forward/>
+      </zone>
+    dest: /usr/lib/firewalld/zones/HeliumOS.xml
+
+- name: Set firewalld default zone
+  ansible.builtin.replace:
+    path: /etc/firewalld/firewalld.conf
+    regexp: "DefaultZone=public"
+    replace: "DefaultZone=HeliumOS"