Remove old firewall config

Author: Alex-Welsh

etc/kayobe/compute.yml

@@ -126,70 +126,22 @@
 # Compute node firewalld configuration.
 
 # Whether to install and enable firewalld.
-compute_firewalld_enabled: true
+#compute_firewalld_enabled:
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-compute_firewalld_zones: "{{ compute_firewalld_zones_default | union(compute_firewalld_zones_extra) | unique | select }}"
-
-compute_firewalld_zones_default: |
-  {% set network_zones = [] %}
-  {% for network in network_interfaces %}
-  {% if network | net_zone is not none %}
-  {% set _ = network_zones.append({'zone': network | net_zone }) %}
-  {% endif %}
-  {% endfor %}
-  {{ network_zones }}
-
-compute_firewalld_zones_extra: []
+#compute_firewalld_zones:
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
-# FIXME: Try setting to drop
-compute_firewalld_default_zone: trusted
+#compute_firewalld_default_zone:
 
 # A list of firewall rules to apply. Each item is a dict containing arguments
 # to pass to the firewalld module. Arguments are omitted if not provided, with
 # the following exceptions:
 # - offline: true
 # - permanent: true
 # - state: enabled
-
-compute_firewalld_rules: "{{ compute_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(compute_firewalld_rules_extra) | unique | select }}"
-
-compute_firewalld_rules_default:
-  # Common
-  - rules:
-      - service: ssh
-        state: enabled
-        zone: "{{ admin_oc_net_name | net_zone }}"
-        network: "{{ provision_oc_net_name }}"
-      - service: dhcpv6-client
-        state: disabled
-        zone: "{{ public_net_name | net_zone }}"
-        network: "{{ public_net_name }}"
-    enabled: true
-  - rules:
-      - service: ssh
-        state: disabled
-        zone: "{{ public_net_name | net_zone }}"
-        network: "{{ public_net_name }}"
-    enabled: "{{ public_net_name | net_zone != admin_oc_net_name | net_zone }}"
-  # GENEVE
-  - rules:
-      - port: 6081/udp
-        state: enabled
-        zone: "{{ tunnel_net_name | net_zone }}"
-        network: "{{ tunnel_net_name }}"
-    enabled: "{{ 'geneve' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) and 'network' in group_names }}"
-  # VXLAN
-  - rules:
-      - port: 4789/udp
-        state: enabled
-        zone: "{{ tunnel_net_name | net_zone }}"
-        network: "{{ tunnel_net_name }}"
-    enabled: "{{ 'vxlan' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) and 'network' in group_names }}"
-
-compute_firewalld_rules_extra: []
+#compute_firewalld_rules:
 
 ###############################################################################
 # Compute node host libvirt configuration.

etc/kayobe/controllers.yml

@@ -134,120 +134,23 @@
 ###############################################################################
 # Controller node firewalld configuration.
 
-# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
-# provision_oc_net_name }}).
-
 # Whether to install and enable firewalld.
-controller_firewalld_enabled: true
+#controller_firewalld_enabled:
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-controller_firewalld_zones: "{{ controller_firewalld_zones_default | union(controller_firewalld_zones_extra) | unique }}"
-
-controller_firewalld_zones_default: |
-  {% set network_zones = [] %}
-  {% for network in network_interfaces %}
-  {% if network | net_zone is not none %}
-  {% set _ = network_zones.append({'zone': network | net_zone }) %}
-  {% endif %}
-  {% endfor %}
-  {{ network_zones }}
-
-controller_firewalld_zones_extra: []
+#controller_firewalld_zones:
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
-# FIXME: Try setting to drop
-controller_firewalld_default_zone: trusted
+#controller_firewalld_default_zone:
 
 # A list of firewall rules to apply. Each item is a dict containing arguments
 # to pass to the firewalld module. Arguments are omitted if not provided, with
 # the following exceptions:
 # - offline: true
 # - permanent: true
 # - state: enabled
-controller_firewalld_rules: "{{ controller_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(controller_firewalld_rules_extra) | unique | select }}"
-
-controller_firewalld_rules_default:
-  # Common
-  - rules:
-      - service: ssh
-        zone: "{{ provision_oc_net_name | net_zone }}"
-        network: "{{ provision_oc_net_name }}"
-        state: enabled
-      - service: dhcp
-        zone: "{{ provision_wl_net_name | net_zone }}"
-        network: "{{ provision_wl_net_name }}"
-        state: enabled
-      - service: ntp
-        zone: "{{ provision_wl_net_name | net_zone }}"
-        network: "{{ provision_wl_net_name }}"
-        state: enabled
-      - service: tftp
-        zone: "{{ provision_wl_net_name | net_zone }}"
-        network: "{{ provision_wl_net_name }}"
-        state: enabled
-      - service: cockpit
-        zone: "{{ public_net_name | net_zone }}"
-        network: "{{ public_net_name }}"
-        state: disabled
-      - service: dhcpv6-client
-        zone: "{{ public_net_name | net_zone }}"
-        network: "{{ public_net_name }}"
-        state: disabled
-      - service: ssh
-        zone: "{{ public_net_name | net_zone }}"
-        network: "{{ public_net_name }}"
-        state: disabled
-    enabled: true
-  # Designate
-  - rules:
-      - port: 53/tcp
-        zone: "{{ public_net_name | net_zone }}"
-        network: "{{ public_net_name }}"
-        state: enabled
-      - port: 53/udp
-        zone: "{{ public_net_name | net_zone }}"
-        network: "{{ public_net_name }}"
-        state: enabled
-      - port: 5354/tcp
-        zone: "{{ public_net_name | net_zone }}"
-        network: "{{ public_net_name }}"
-        state: enabled
-      - port: 5354/udp
-        zone: "{{ public_net_name | net_zone }}"
-        network: "{{ public_net_name }}"
-        state: enabled
-    enabled: "{{ kolla_enable_designate | bool }}"
-  # GENEVE
-  - rules:
-      - port: 6081/udp
-        zone: "{{ tunnel_net_name | net_zone }}"
-        network: "{{ tunnel_net_name }}"
-        state: enabled
-    enabled: "{{ 'geneve' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) and 'network' in group_names }}"
-  # VXLAN
-  - rules:
-      - port: 4789/udp
-        zone: "{{ tunnel_net_name | net_zone }}"
-        network: "{{ tunnel_net_name }}"
-        state: enabled
-    enabled: "{{ 'vxlan' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) and 'network' in group_names }}"
-  # Octavia
-  - rules:
-      - port: 5555/udp
-        zone: "{{ octavia_net_name | net_zone }}"
-        network: "{{ octavia_net_name }}"
-        state: enabled
-    enabled: "{{ kolla_enable_octavia | bool }}"
-  # Overcloud Ironic
-  - rules:
-      - port: 8089/tcp
-        zone: "{{ provision_wl_net_name | net_zone }}"
-        network: "{{ provision_wl_net_name }}"
-        state: enabled
-    enabled: "{{ kolla_enable_octavia | bool }}"
-
-controller_firewalld_rules_extra: []
+#controller_firewalld_rules:
 
 ###############################################################################
 # Controller node swap configuration.

etc/kayobe/inventory/group_vars/ansible-control/infra-vm

@@ -99,44 +99,22 @@
 # Monitoring node firewalld configuration.
 
 # Whether to install and enable firewalld.
-monitoring_firewalld_enabled: true
+#monitoring_firewalld_enabled:
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-monitoring_firewalld_zones: "{{ monitoring_firewalld_zones_default | union(monitoring_firewalld_zones_extra) | unique | select }}"
-
-monitoring_firewalld_zones_default: |
-  {% set network_zones = [] %}
-  {% for network in network_interfaces %}
-  {% if network | net_zone is not none %}
-  {% set _ = network_zones.append({'zone': network | net_zone }) %}
-  {% endif %}
-  {% endfor %}
-  {{ network_zones }}
-
-monitoring_firewalld_zones_extra: []
+#monitoring_firewalld_zones:
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
-# FIXME: Try drop
-monitoring_firewalld_default_zone: trusted
+#monitoring_firewalld_default_zone:
 
 # A list of firewall rules to apply. Each item is a dict containing arguments
 # to pass to the firewalld module. Arguments are omitted if not provided, with
 # the following exceptions:
 # - offline: true
 # - permanent: true
 # - state: enabled
-monitoring_firewalld_rules: "{{ monitoring_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(monitoring_firewalld_rules_extra) | unique | select }}"
-
-monitoring_firewalld_default:
-  - rules:
-      - service: ssh
-        zone: "{{ admin_oc_net_name | net_zone }}"
-        network: "{{ admin_oc_net_name }}"
-        state: enabled
-    enabled: true
-
-monitoring_firewalld_extra: []
+#monitoring_firewalld_rules:
 
 ###############################################################################
 # Monitoring node swap configuration.

etc/kayobe/inventory/group_vars/wazuh-manager/infra-vm

@@ -117,8 +117,6 @@
 ###############################################################################
 # Seed hypervisor node firewalld configuration.
 
-# FIXME: Add some seed hypervisor rules?
-
 # Whether to install and enable firewalld.
 #seed_hypervisor_firewalld_enabled: