Some time ago I had to use a new CentOS 7 virtual-machine for some things that aren’t relevant to this post. This machine had to run all the time but also had some problems with a sporadically failing application server. That’s why I decided to monitor the machine, starting with some basic snmp-monitoring.

When I added the host to my Icinga monitoring, Icinga failed to do the snmpwalk. After some searching on the host I found out that the default firewall firewalld was blocking access; something I did not have to deal with yet until this moment. But instead of simply turning the firewall off, I decided to permit snmp-access.

Reading the very good and comprehensive RedHat documentation about firewalld gave me enough information to allow access of the host. It also showed me that there’s no predefined service (at the time) for handling snmp-traffic so I had to add the exceptions to the firewall by myself.

This is the command:

[root@centos ~]# firewall-cmd --add-port=161-162/udp --zone=public

This means that the portrange 161-162 with the protocol UDP is added as an exception to the public zone (the default zone). To learn more about zones, take a look here.

After testing that the new rule works, I had to make the changes permanent. This is done by simply adding a —permanent to the first command:

[root@centos ~]# firewall-cmd --add-port=161-162/udp --zone=public --permanent

Knowing that I’d have to do this more often when deploying new boxes, I decided to write a simple ansible-playbook for it. Of course there’s a module to configure firewalld! Sadly the documentation only gave examples on how to add single ports or services, not port ranges. But I thought that adding a range should be possible too, so I just tried it and it worked! Here is the task:

- name: add snmp-exception to firewalld
  firewalld: port=161-162/udp permanent=true state=enabled

Since Ansible is an open-source project I decided to contribute to it and create a pull-request to add the missing documentation and an example. This way I can help the community around Ansible without having to dive deep into the code itself!



Related posts: