WIP: Rework firewall management.

robin-checkmk · robin-checkmk · commit ac5805805dbc · 2025-04-08T12:11:37.000+02:00
diff --git a/roles/agent/README.md b/roles/agent/README.md
@@ -131,17 +131,10 @@ See [this link](https://docs.checkmk.com/latest/en/agent_linux.html#registration
 
     checkmk_agent_configure_firewall: 'true'
 
-Automatically configure the firewall (*currently only on RedHat and Debian derivatives*) to allow access to the Checkmk agent.
-
-    checkmk_agent_configure_firewall_zone: 'public'
-
-When checkmk_agent_configure_firewall is set to `true` then configure the firewall zone on RedHat derivatives. Defaults to 'public'.
-
-    checkmk_agent_server_ips: []
-
-A list of IP addresses, that will be whitelisted in the firewall for agent access on `checkmk_agent_port`.
-The `checkmk_agent_server` will automatically be added, but only if it is an IP address.
-This parameter also does **not** take care of any agent-side whitelisting!
+Automatically configure the firewall to allow access to the Checkmk agent.
+**This is a very rudamentary configration!**
+It only opens port 6556. Everything else uses defaults of the respective platform.
+If you need more elaborate configuration, use your own firewall management!
 
     checkmk_agent_force_install: 'false'
 
diff --git a/roles/agent/defaults/main.yml b/roles/agent/defaults/main.yml
@@ -24,8 +24,6 @@ checkmk_agent_force_foreign_changes: 'false'
 checkmk_agent_update: 'false'
 checkmk_agent_tls: 'false'
 checkmk_agent_configure_firewall: 'true'
-checkmk_agent_configure_firewall_zone: 'public'
-checkmk_agent_server_ips: []
 checkmk_agent_force_install: 'false'
 checkmk_agent_prep_legacy: 'false'
 checkmk_agent_delegate_api_calls: 'localhost'
diff --git a/roles/agent/meta/argument_specs.yml b/roles/agent/meta/argument_specs.yml
@@ -145,12 +145,6 @@ argument_specs:
         description:
           - Refer to the README for details.
 
-      checkmk_agent_server_ips:
-        type: "list"
-        elements: "str"
-        description:
-          - Refer to the README for details.
-
       checkmk_agent_force_install:
         type: "bool"
         default: false
diff --git a/roles/agent/molecule/2.2.0/group_vars/all.yml b/roles/agent/molecule/2.2.0/group_vars/all.yml
@@ -31,11 +31,6 @@ checkmk_agent_discover_max_parallel_tasks: 2
 checkmk_agent_update: 'false'
 checkmk_agent_tls: 'true'
 checkmk_agent_configure_firewall: 'true'
-checkmk_agent_configure_firewall_zone: 'public'
-checkmk_agent_server_ips:
-  - 10.10.10.10
-  - 172.16.16.16
-  - 192.168.1.1
 checkmk_agent_force_install: 'false'
 checkmk_agent_prep_legacy: 'false'
 checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}"
diff --git a/roles/agent/molecule/2.3.0/group_vars/all.yml b/roles/agent/molecule/2.3.0/group_vars/all.yml
@@ -31,11 +31,6 @@ checkmk_agent_discover_max_parallel_tasks: 2
 checkmk_agent_update: 'false'
 checkmk_agent_tls: 'true'
 checkmk_agent_configure_firewall: 'true'
-checkmk_agent_configure_firewall_zone: 'public'
-checkmk_agent_server_ips:
-  - 10.10.10.10
-  - 172.16.16.16
-  - 192.168.1.1
 checkmk_agent_force_install: 'false'
 checkmk_agent_prep_legacy: 'false'
 checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}"
diff --git a/roles/agent/molecule/2.4.0/group_vars/all.yml b/roles/agent/molecule/2.4.0/group_vars/all.yml
@@ -31,11 +31,6 @@ checkmk_agent_discover_max_parallel_tasks: 2
 checkmk_agent_update: 'false'
 checkmk_agent_tls: 'true'
 checkmk_agent_configure_firewall: 'true'
-checkmk_agent_configure_firewall_zone: 'public'
-checkmk_agent_server_ips:
-  - 10.10.10.10
-  - 172.16.16.16
-  - 192.168.1.1
 checkmk_agent_force_install: 'false'
 checkmk_agent_prep_legacy: 'false'
 checkmk_agent_delegate_api_calls: "{{ inventory_hostname }}"
diff --git a/roles/agent/tasks/Debian.yml b/roles/agent/tasks/Debian.yml
@@ -44,21 +44,11 @@
   tags:
     - install-package
 
-- name: "{{ ansible_os_family }} Derivatives: Configure Firewall for Agent."
+- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent."
   when: checkmk_agent_configure_firewall | bool and "ufw.service" in ansible_facts.services
-  block:
-    - name: "{{ ansible_os_family }} Derivatives: Add Checkmk Server to Firewall Whitelist if it is an IP address."
-      when: checkmk_agent_server | ansible.utils.ipaddr()
-      ansible.builtin.set_fact:
-        checkmk_agent_server_ips: "{{ checkmk_agent_server_ips + [checkmk_agent_server] }}"
-
-    - name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent."
-      when: checkmk_agent_server_ips is defined
-      community.general.ufw:
-        rule: allow
-        proto: tcp
-        src: "{{ item }}"
-        port: '6556'
-        comment: Allow Checkmk
-      loop: "{{ checkmk_agent_server_ips }}"
-      become: true
+  community.general.ufw:
+    rule: allow
+    proto: tcp
+    port: '6556'
+    comment: "Allow Checkmk Agent access from anywhere."
+  become: true
diff --git a/roles/agent/tasks/RedHat.yml b/roles/agent/tasks/RedHat.yml
@@ -44,21 +44,11 @@
   tags:
     - install-package
 
-- name: "{{ ansible_os_family }} Derivatives: Configure Firewall for Agent."
+- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent."
   when: checkmk_agent_configure_firewall | bool and "firewalld.service" in ansible_facts.services
-  block:
-    - name: "{{ ansible_os_family }} Derivatives: Add Checkmk Server to Firewall Whitelist if it is an IP address."
-      when: checkmk_agent_server | ansible.utils.ipaddr()
-      ansible.builtin.set_fact:
-        checkmk_agent_server_ips: "{{ checkmk_agent_server_ips + [checkmk_agent_server] }}"
-
-    - name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent."
-      when: checkmk_agent_server_ips is defined
-      ansible.posix.firewalld:
-        permanent: 'yes'
-        immediate: 'yes'
-        state: enabled
-        rich_rule: 'rule family="ipv4" source address={{ item }} port port="{{ checkmk_agent_port }}" protocol="tcp" accept'
-        zone: "{{ checkmk_agent_configure_firewall_zone | default('public') }}"
-      loop: "{{ checkmk_agent_server_ips }}"
-      become: true
+  ansible.posix.firewalld:
+    permanent: true
+    immediate: true
+    port: 6556/tcp
+    state: "enabled"
+  become: true
diff --git a/roles/agent/tasks/Suse.yml b/roles/agent/tasks/Suse.yml
@@ -46,3 +46,12 @@
   when: checkmk_agent_edition | lower == "cre"
   tags:
     - install-package
+
+- name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent."
+  when: checkmk_agent_configure_firewall | bool and "firewalld.service" in ansible_facts.services
+  ansible.posix.firewalld:
+    permanent: true
+    immediate: true
+    port: 6556/tcp
+    state: "enabled"
+  become: true
