---

- name: "3.4.2.1 | L1 | PATCH | Ensure firewalld service is enabled and running"
  service:
      name: firewalld
      state: started
      enabled: yes
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_2_1
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_3_4_2_1

- name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld"
  systemd:
      name: iptables
      enabled: false
      masked: true
  ignore_errors: true
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_2_2
  tags:
      - skip_ansible_lint
      - level1-server
      - level1-workstation
      - patch
      - rule_3_4_2_2

- name: "3.4.2.3 | L1 | PATCH | Ensure nftables is not enabled with firewalld"
  systemd:
      name: nftables
      enabled: false
      masked: true
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_2_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_3_4_2_3

- name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set"
  command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_2_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_3.4.2.4

- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone"
  block:
      - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies"
        shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done"
        changed_when: false
        failed_when: false
        check_mode: no
        register: rhel9cis_3_4_2_5_interfacepolicy

      - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy"
        debug:
            msg:
                - "The items below are the policies tied to the interfaces, please correct as needed"
                - "{{ rhel9cis_3_4_2_5_interfacepolicy.stdout_lines }}"
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_2_5
  tags:
      - level1-server
      - level1-workstation
      - audit
      - rule_3.4.2.5

- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports"
  block:
      - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports"
        shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done"
        changed_when: false
        failed_when: false
        check_mode: no
        register: rhel9cis_3_4_2_6_servicesport

      - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"
        debug:
            msg:
                - "The items below are the services and ports that are accepted, please correct as needed"
                - "{{ rhel9cis_3_4_2_6_servicesport.stdout_lines }}"
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_2_6
  tags:
      - level1-server
      - level1-workstation
      - audit
      - rule_3.4.2.6