voxpupuli / puppet-firewalld Goto Github PK

Puppet module for managing firewalld

License: Apache License 2.0

Ruby 92.92% Puppet 7.08%

ruby firewalld puppet-module hacktoberfest centos-puppet-module linux-puppet-module oraclelinux-puppet-module puppet redhat-puppet-module

puppet-firewalld's Introduction

Module: firewalld

Description

This module manages firewalld, the userland interface that replaces iptables and ships with RHEL7+. The module manages firewalld itself as well as providing types and providers for managing firewalld zones, policies, ports, and rich rules.

Compatibility

Latest versions of this module are only supported on Puppet 7.0+.

Usage

class { 'firewalld': }

Parameters

package: Name of the package to install (default firewalld)
package_ensure: Default 'installed', can be any supported ensure type for the package resource
config_package: Name of the GUI package, default firewall-config
install_gui: Whether or not to install the config_package (default: false)
service_ensure: Whether the service should be running or not (default: running)
service_enable: Whether to enable the service
default_zone: Optional, set the default zone for interfaces (default: undef)
firewall_backend: Optional, set the firewall backend for firewalld (default: undef)
default_service_zone: Optional, set the default zone for services (default: undef)
default_port_zone: Optional, set the default zone for ports (default: undef)
default_port_protocol: Optional, set the default protocol for ports (default: undef)
log_denied: Optional, (firewalld-0.4.3.2-8+) Log denied packets, can be one of off, all, multicast, unicast, broadcast (default: undef)
zones: A hash of firewalld zones to configure
policies: A hash of firewalld policies to configure
ports: A hash of firewalld ports to configure
services: A hash of firewalld services to configure
rich_rules: A hash of firewalld rich rules to configure
custom_services: A hash of firewalld custom services to configure
direct_rules: A hash of firewalld direct rules to configure
direct_chains: A hash of firewalld direct chains to configure
direct_passthroughs: A hash of firewalld direct passthroughs to configure
purge_direct_rules: True or false, whether to purge firewalld direct rules
purge_direct_chains: True or false, whether to purge firewalld direct chains
purge_direct_passthroughs: True or false, whether to purge firewalld direct passthroughs

Resource Types

The firewalld module contains types and providers to manage zones, services, ports, and rich rules by interfacing with the firewall-cmd command. The following types are currently supported. Note that all zone, service, port, and rule management is done in --permanent mode, and a complete reload will be triggered anytime something changes.

This module supports a number of resource types

firewalld_zone
firewalld_policy
firewalld_port
firewalld_service
firewalld_ipset
firewalld_rich_rule
firewalld_direct_chain
firewalld_direct_rule
firewalld_direct_passthrough

Note, it is always recommended to include the ::firewalld class if you are going to use any of these resources from another Puppet class (eg: a profile) as it sets up the relationships between the firewalld service resource and the exec resource to reload the firewall upon change. Without the firewalld class included then the firewall will not be reloaded upon change. The recommended pattern is to put all resources into hiera and let the firewalld class set them up. Examples of both forms are presented for the resource types below.

Firewalld Zones

Firewalld zones can be managed with the firewalld_zone resource type.

Example in Class:

  firewalld_zone { 'restricted':
    ensure           => present,
    target           => '%%REJECT%%',
    purge_rich_rules => true,
    purge_services   => true,
    purge_ports      => true,
  }

Example in Hiera:

firewalld::zones:
  restricted:
    ensure: present
    target: '%%REJECT%%'
    purge_rich_rules: true
    purge_services: true
    purge_ports: true

Parameters (Firewalld Zones)

target: Specify the target of the zone.
interfaces: An array of interfaces for this zone
sources: An array of sources for the zone
protocols: An array of protocols for the zone
icmp_blocks: An array of ICMP blocks for the zone
masquerade: If set to true or false specifies whether or not to add masquerading to the zone
purge_rich_rules: Optional, and defaulted to false. When true any configured rich rules found in the zone that do not match what is in the Puppet catalog will be purged.
purge_services: Optional, and defaulted to false. When true any configured services found in the zone that do not match what is in the Puppet catalog will be purged. Warning: This includes the default ssh service, if you need SSH to access the box, make sure you add the service through either a rich firewall rule, port, or service (see below) or you will lock yourself out!
purge_ports: Optional, and defaulted to false. When true any configured ports found in the zone that do not match what is in the Puppet catalog will be purged. Warning: As with services, this includes the default ssh port. If you fail to specify the appropriate port, rich rule, or service, you will lock yourself out.

Firewalld policies

Firewalld policies can be managed with the firewalld_policy resource type.

Example in Class:

  firewalld_policy { 'anytorestricted':
    ensure           => present,
    target           => '%%REJECT%%',
    ingress_zones    => ['ANY'],
    egress_zones     => ['restricted'],
    purge_rich_rules => true,
    purge_services   => true,
    purge_ports      => true,
  }

Example in Hiera:

firewalld::policies:
  anytorestricted:
    ensure: present
    target: '%%REJECT%%'
    ingress_zones:
      - 'ANY'
    egress_zones:
      - 'restricted'
    purge_rich_rules: true
    purge_services: true
    purge_ports: true

Parameters (Firewalld policies)

target: Specify the target of the policy.
ingress_zones: An array of ingress zones for this policy.
egress_zones: An array of egress zones for this policy.
priority: A non zero integer specifying the priority of this policy, policies with negative priorities apply before rules in zones, policies with positive priorities, after. Defaults to -1.
icmp_blocks: An array of ICMP blocks for the policy
masquerade: If set to true or false specifies whether or not to add masquerading to the policy
purge_rich_rules: Optional, and defaulted to false. When true any configured rich rules found in the policy that do not match what is in the Puppet catalog will be purged.
purge_services: Optional, and defaulted to false. When true any configured services found in the policy that do not match what is in the Puppet catalog will be purged.
purge_ports: Optional, and defaulted to false. When true any configured ports found in the policy that do not match what is in the Puppet catalog will be purged.

Firewalld Rich Rules

Firewalld rich rules are managed using the firewalld_rich_rule resource type

Exactly one of the zone or policy parameters must be given

firewalld_rich_rules will autorequire the firewalld_zone specified in the zone parameter or the firewalld_policy specified in the policy parameter so there is no need to add dependencies for this

Example in Class:

  firewalld_rich_rule { 'Accept SSH from barny':
    ensure => present,
    zone   => 'restricted',
    source => '192.168.1.2/32',
    service => 'ssh',
    action  => 'accept',
  }

Example in Hiera:

firewalld::rich_rules:
  'Accept SSH from barny':
    ensure: present
    zone: restricted
    source: '192.168.1.2/32'
    service: 'ssh'
    action: 'accept'

Parameters (Firewalld Rich Rules)

zone: (Optional) Name of the zone this rich rule belongs to
policy: (Optional) Name of the policy this rich rule belongs to
family: Protocol family, defaults to ipv4

source: Source address information. This can be a hash containing the keys address or ipset and invert, or a string containing just the IP address

   source => '192.168.2.1',

   source => { 'address' => '192.168.1.1', 'invert' => true }
   source => { 'ipset' => 'whitelist', 'invert' => true }
   source => { 'ipset' => 'blacklist' }

dest: Destination address information. This can be a hash containing the keys address or ipset and invert, or a string containing just the IP address

   dest => '192.168.2.1',

   dest => { 'address' => '192.168.1.1', 'invert' => true }
   dest => { 'ipset' => 'whitelist', 'invert' => true }
   dest => { 'ipset' => 'blacklist' }

log: When set to true will enable logging, optionally this can be hash with prefix, level and limit
```
   log => { 'level' => 'debug', 'prefix' => 'foo' },

   log => true,
```
audit: When set to true will enable auditing, optionally this can be hash with limit
```
   audit => { 'limit' => '3/s' },

   audit => true,
```
action: A string containing the action accept, reject or drop. For reject it can be optionally supplied as a hash containing type
```
   action => 'accept'

   action => { 'action' => 'reject', 'type' => 'bad' }
```

The following paramters are the element of the rich rule, only one may be used.

service: Name of the service
protocol: Protocol of the rich rule

port: A hash containing port and protocol values

   port => {
     'port' => 80,
     'protocol' => 'tcp',
   },

icmp_block: Specify an icmp-block for the rule
masquerade: Set to true or false to enable masquerading

forward_port: Set forward-port, this should be a hash containing port,protocol,to_port,to_addr

   forward_port => {
     'port' => '8080',
     'protocol' => 'tcp',
     'to_addr' => '10.2.1.1',
     'to_port' => '8993'
   },

Firewalld Custom Service

The firewalld_custom_service defined type creates and manages custom services. It makes the service usable by firewalld, but does not add it to any zones. To do that, use the firewalld::service type.

Example in Class:

    firewalld_custom_service{'puppet':
      short       => 'puppet',
      description => 'Puppet Client access Puppet Server',
      ports       => [
        {
            'port'     => '8140',
            'protocol' => 'tcp',
        },
        {
            'port'     => '8140',
            'protocol' => 'udp',
        },
      ],
      module      => ['nf_conntrack_netbios_ns'],
     'ipv4_destination' => '127.0.0.1',
     'ipv6_destination' => '::1'
    }

Example in Hiera:

firewalld::custom_services:
  puppet:
    short: 'puppet'
    description: 'Puppet Client access Puppet Server'
    ports:
      - port: 8140
        protocol: 'tcp'
    module: 'nf_conntrack_netbios_ns'
    ipv4_destination: '127.0.0.1'
    ipv6_destination: '::1'

This resource will create the following XML service definition in /etc/firewalld/services/XZY.xml

    <?xml version="1.0" encoding="utf-8"?>
    <service>
      <short>puppet</short>
      <description>Puppet Client access Puppet Server</description>
      <port protocol="tcp" port="8140" />
      <port protocol="udp" port="8140" />
      <module name="nf_conntrack_netbios_ns"/>
      <destination ipv4="127.0.0.1" ipv6="::1"/>
    </service>

and you will also see 'puppet' in the service list when you issue firewall-cmd --permanent --get-services

Parameters (Firewalld Custom Service)

short: (namevar) The short name of the service (what you see in the firewalld command line output)
description: (Optional) A short description of the service
ports: (Optional) The protocol / port definitions for this service. Specified as an array of hashes, where each hash defines a protocol and/or port associated with this service. Each hash requires both port and protocol keys, even if the value is an empty string. Specifying a port only works for TCP & UDP, otherwise leave it empty and the entire protocol will be allowed. Valid protocols are tcp, udp, or any protocol defined in /etc/protocols
```
   ports => [{'port' => '1234', 'protocol' => 'tcp'}],

   ports => [{'port' => '4321', 'protocol' => 'udp'}, {'protocol' => 'rdp'}],
```

The ports parameter can also take a range of ports separated by a colon or a dash (colons are replaced by dashes), for example:

   ports => [ {'port' => '8000:8002', 'protocol' => 'tcp']} ]

will produce:

    <port protocol="tcp" port="8000-8002" />

protocols: (Optional) An array of protocols allowed by the service as defined in /etc/protocols.
```
   protocols => ['ospf'],
```
module: (Optional) An array of strings specifying netfilter kernel helper modules associated with this service
ipv4_destination: (Optional) A string specifying the destination network as a network IP address (optional with /mask), or a plain IP address. The use of hostnames is possible but not recommended, because these will only be resolved at service activation and transmitted to the kernel.
```
   ipv4_destination => '192.0.2.0/24',
```
ipv6_destination: (Optional) A string specifying the destination network as a network IP address (optional with /mask), or a plain IP address. The use of hostnames is possible but not recommended, because these will only be resolved at service activation and transmitted to the kernel.
```
   ipv4_destination => '2001:db8::/32',
```
config_dir: The location where the service definition XML files will be stored. Defaults to /etc/firewalld/services

Firewalld Service

The firewalld_service type is used to add or remove both built in and custom services from zones.

Exactly one of the zone or policy parameters must be given.

firewalld_service will autorequire the firewalld_zone specified in the zone parameter and the firewalld_custom_service specified in the service parameter, so there is no need to add dependencies for this

Example in Class:

  firewalld_service { 'Allow SSH from the external zone':
    ensure  => 'present',
    service => 'ssh',
    zone    => 'external',
  }

Example in Hiera:

firewalld::services:
  'Allow SSH from the external zone':
    ensure: present
    service: ssh
    zone: external
  dhcp:
    ensure: absent
    service: dhcp
    zone: public
  dhcpv6-client:
    ensure: present
    service: dhcpv6-client
    zone: public

Parameters (Firewalld Service)

service: Name of the service to manage, defaults to the resource name.
zone: Name of the zone in which you want to manage the service, defaults to parameter default_service_zone of class firewalld if specified.
policy: Name of the policy in which you want to manage the service. Make sure to set zone to unset if you use this and have specified default_service_zone for class firewalld.
ensure: Whether to add (present) or remove the service (absent), defaults to present.

Firewalld IPsets

Firewalld IPsets (on supported versions of firewalld) can be managed using the firewalld_ipset resource type

Example:

  firewalld_ipset { 'whitelist':
    ensure => present,
    entries => [ '192.168.0.1', '192.168.0.2' ]
  }

Example in Hiera:

firewalld::ipsets:
  whitelist:
    entries:
      - 192.168.0.1
      - 192.168.0.2

Parameters (Firewalld IPsets)

entries: An array of entries for the IPset
type: Type of ipset (default: hash:ip)
options: A hash of options for the IPset (eg: { "family" => "inet6"})

Note that type and options are parameters used when creating the IPset and are not managed after creation - to change the type or options of an ipset you must delete the existing ipset first.

Firewalld Ports

Firewalld ports can be managed with the firewalld_port resource type.

Exactly one of the zone or policy parameters must be given.

firewalld_port will autorequire the firewalld_zone specified in the zone parameter so there is no need to add dependencies for this

Example:

  firewalld_port { 'Open port 8080 in the public zone':
    ensure   => present,
    zone     => 'public',
    port     => 8080,
    protocol => 'tcp',
  }

Example in Hiera:

firewalld::ports:
  'Open port 8080 in the public zone':
    ensure: present
    zone: public
    port: 8080
    protocol: 'tcp'

Parameters (Firewalld Ports)

zone: Name of the zone this port belongs to, defaults to parameter default_port_zone of class firewalld if specified.
policy: Name of the policy this port belongs to. Make sure to set zone to unset if you use this and have specified default_port_zone for class firewalld.
port: The port to manage, defaults to the resource name.
protocol: The protocol this port uses, e.g. tcp or udp, defaults to parameter default_port_protocol of class firewalld if specified.
ensure: Whether to add (present) or remove the service (absent), defaults to present.

Firewalld Direct Chains

Direct chains can be managed with the firewalld_direct_chain type

Example

firewalld_direct_chain {'Add custom chain LOG_DROPS':
name           => 'LOG_DROPS',
ensure         => present,
inet_protocol  => 'ipv4',
table          => 'filter',
}

The title can also be mapped to the types namevars using a colon delimited string, so the above can also be represented as

firewalld_direct_chain { 'ipv4:filter:LOG_DROPS':
  ensure => present,
}

Example in hiera

firewalld::direct_chains:
  'Add custom chain LOG_DROPS':
    name: LOG_DROPS
    ensure: present
    inet_protocol: ipv4
    table: filter

Parameters (Firewalld Direct Chains)

name: name of the chain, eg LOG_DROPS (namevar)
inet_protocol: ipv4, ipv6 or eb, defaults to ipv4 (namevar)
table: The table (eg: filter) to apply the chain (namevar)

Firewalld Direct Rules

Direct rules can be applied using the firewalld_direct_rule type

Example (Firewalld Direct Rules)

  firewalld_direct_rule {'Allow outgoing SSH connection':
      ensure         => 'present',
      inet_protocol  => 'ipv4',
      table          => 'filter',
      chain          => 'OUTPUT',
      priority       => 1,
      args           => '-p tcp --dport=22 -j ACCEPT',
  }

Example in hiera (Firewalld Direct Rules)

firewalld::direct_rules:
  'Allow outgoing SSH connection':
    ensure: present
    inet_protocol: ipv4
    table: filter
    chain: OUTPUT
    priority: 1
    args: '-p tcp --dport=22 -j ACCEPT'

Parameters (Firewalld Direct Rules)

name: Resource name in Puppet
ensure: present or absent
inet_protocol: ipv4, ipv6 or eb, defaults to ipv4
table: Table (eg: filter) which to apply the rule
chain: Chain (eg: OUTPUT) which to apply the rule
priority: The priority number of the rule (e.g: 0, 1, 2, ... 99)
args: Any iptables, ip6tables and ebtables command line arguments

Firewalld Direct Passthroughs

Direct passthroughs can be applied using the firewalld_direct_passthrough type

Example (Firewalld Direct Passthroughs)

  firewalld_direct_passthrough {'Forward traffic from OUTPUT to OUTPUT_filter':
      ensure         => 'present',
      inet_protocol  => 'ipv4',
      args           => '-A OUTPUT -j OUTPUT_filter'
  }

Example in hiera (Firewalld Direct Passthroughs)

firewalld::direct_passthroughs:
  'Forward traffic from OUTPUT to OUTPUT_filter':
    ensure: present
    inet_protocol: ipv4
    args: '-A OUTPUT -j OUTPUT_filter'

Parameters (Firewalld Direct Passthroushs)

name: Resource name in Puppet
ensure: present or absent
inet_protocol: ipv4, ipv6 or eb, defaults to ipv4
args: Name of the passthroughhrough to add (e.g: -A OUTPUT -j OUTPUT_filter)

Testing

Unit Testing

Unit tests can be executed by running the following commands:

bundle install
bundle exec rake spec

Acceptance Testing

Acceptance tests are performed using Beaker and require Vagrant and VirtualBox to run successfully.

It is HIGHLY RECOMMENDED that you use the upstream Vagrant package and not one from your OS provider.

To run the acceptance tests:

bundle install
bundle exec rake beaker

To leave the Vagrant hosts running on failure for debugging:

BEAKER_destroy=onpass bundle exec rake beaker
cd .vagrant/beaker_vagrant_files/default.yml
vagrant ssh <host>

Author

Written Initially by Craig Dunn [email protected] @crayfishx
This module is now maintained by VoxPupuli
Thanks and acknowlegements to Baloise Group

puppet-firewalld's People

Contributors

Stargazers

Watchers

puppet-firewalld's Issues

Firewalld ignores custom zones at reboot but is ok after a manual restart

bizarre problem here - can't decide if it's one for redhat or whether it's to do with this puppet module.
IN our manifest we create a custom zone - one custom zone like so:

`    firewalld_zone { 'newzone':
      ensure           => 'present',
      target           => '%%REJECT%%',
      purge_rich_rules => true,
      purge_services   => true,
      purge_ports      => true,
      interfaces       => [ eth0 ],
    }
`

and then a few service and rich rules to go in there. Do a puppet run and everything works as expected. But reboot the server and everything doesn't work as expected - all traffic gets rejected...and sure enough:

`# firewall-cmd --get-active-zones
public
  interfaces: eth0
`

.....but we haven't configured a public zone. OK - lets try a restart of firewalld:

# service firewalld restart
Redirecting to /bin/systemctl restart  firewalld.service
# firewall-cmd --get-active-zones
newzone
  interfaces: eth0

weird huh? suddenly our custom zone called newzone becomes active and everything works as expected. Is this expected behaviour or am i doing something strange?

Syntax error

Hi,

im trying out your module and fortunately im getting issues on using it. If i apply it i get an error all the time.

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Syntax error at '.'; expected '}' at /etc/puppet/environments/development/modules/firewalld/manifests/init.pp:97 on node hhvm1.nodes.rto.de
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

icmp_blocks in 'Firewalld Zones' not working

icmp_blocks: 'echo-request' not working in hiera file:

firewalld::zones:
  webserver:
    ensure: 'present'
    target: 'default'
    icmp_blocks: 'echo-request'
    purge_rich_rules: true
    purge_services: true
    purge_ports: true

get an error on puppet client:

Error: Execution of '/usr/bin/firewall-cmd --permanent --zone webserver --get-icmptypes' returned 2: usage: see firewall-cmd man page
Wrong usage of --get-zones | --get-services | --get-icmptypes.
Error: /Stage[main]/Firewalld/Firewalld_zone[webserver]/icmp_blocks: change from [] to echo-request failed: Execution of '/usr/bin/firewall-cmd --permanent --zone webserver --get-icmptypes' returned 2: usage: see firewall-cmd man page
Wrong usage of --get-zones | --get-services | --get-icmptypes.

OS: CentOS Linux release 7.2.1511 (Core)
Firewalld: firewalld-0.3.9-14.el7.noarch

purge_rich_rules needs a second puppet run to work

Currently rich rules do not get purged from a zone with purge_rich_rules => true on the fist puppet run but on the next only.

purge_rich_rules does not work with custom zones

Currently rich rules do not get purged from a zone with purge_rich_rules => true

Again, this only seems to apply to custom zones. (=non default zones). In my test rich rules got removed from trusted and internal

Ability to name custom service

While testing the creation of custom services via the ::firewalld module I came across some behavior that I did not expect -- it is documented and it works exactly as the documentation says it does, but it does not map to what I expected of a custom firewalld service definition.

Normal firewalld zone `.xml` file

[~]$ rpm -qil firewalld-0.4.3.2-1.fc23.noarch 
Name        : firewalld
Version     : 0.4.3.2
Release     : 1.fc23
Architecture: noarch
Install Date: Sat 13 Aug 2016 02:22:35 PM EDT
Group       : Unspecified
Size        : 1869790
License     : GPLv2+
Signature   : RSA/SHA256, Tue 05 Jul 2016 05:08:48 PM EDT, Key ID 32474cf834ec9cba
Source RPM  : firewalld-0.4.3.2-1.fc23.src.rpm
Build Date  : Tue 05 Jul 2016 01:57:36 PM EDT
Build Host  : buildvm-20.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://www.firewalld.org
Summary     : A firewall daemon with D-Bus interface providing a dynamic firewall
Description :
firewalld is a firewall service daemon that provides a dynamic customizable
firewall with a D-Bus interface.
...
/usr/lib/firewalld/services/mosh.xml
...

[~]$ cat /usr/lib/firewalld/services/mosh.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Mobile shell that supports roaming and intelligent local echo.</short>
  <description>Mosh is a remote terminal application that supports intermittent network connectivity, roaming to different IP address without dropping the connection, intelligent local echo and line editing to reduct the effects of "network lag" on high-latency connections.</description>
  <port protocol="udp" port="60000-61000"/>
</service>

Firewalld looks in places like /usr/lib/firewalld/services/ and /etc/firewalld/services/ for service definitions, when one issues firewall-cmd [--permanent] --add-service=mosh firewalld looks for mosh.xml in related folders.

CentOS / RHEL do not have a built-in definition for mosh, so I attempted to mimic the Fedora provided xml file via firewalld::custom_service.

include ::firewalld

firewalld::custom_service { 'Create mosh firewalld service definition':
  short       => 'Mobile shell that supports roaming and intelligent local echo.',
  description => 'Mosh is a remote terminal application that supports intermittent network connectivity, roaming to different IP address without dropping the connection, intelligent local echo and line editing to reduct the effects of "network lag" on high-latency connections.',
  port => [
    {port => '60000-61000', protocol => 'udp'}
  ],
}

As this module creates a ${short}.xml service file I ended up with a rather large name.

[root@puppet-firewalld-test firewalld-test]# puppet apply test2.pp                                                                                                                                                 
Notice: Compiled catalog for puppet-firewalld-test.local in environment production in 1.09 seconds
Notice: /Stage[main]/Main/Firewalld::Custom_service[Create mosh firewalld service defination]/File[/etc/firewalld/services/Mobile shell that supports roaming and intelligent local echo..xml]/ensure: created
Notice: /Stage[main]/Main/Firewalld::Custom_service[Create mosh firewalld service defination]/Exec[firewalld::custom_service::reload-Create mosh firewalld service definition]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 2.21 seconds

[root@puppet-firewalld-test firewalld-test]# ls /etc/firewalld/services/
Mobile shell that supports roaming and intelligent local echo..xml

# Copy the file to example1.xml to show that I am able to --add-service example1
[root@puppet-firewalld-test firewalld-test]# cp /etc/firewalld/services/Mobile\ shell\ that\ supports\ roaming\ and\ intelligent\ local\ echo..xml /etc/firewalld/services/example1.xml

[root@puppet-firewalld-test firewalld-test]# firewall-cmd --reload
success

[root@puppet-firewalld-test firewalld-test]# firewall-cmd --add-service example1
success

[root@puppet-firewalld-test firewalld-test]# firewall-cmd --list-services
example1

If possible I would like to see the ability to specify the name of a custom service, the short tag is for a small summary of what a service is/does, it should not be the basis for how we reference the custom services we create.

undefined local variable or method `puppet_ports' for #<Puppet::Type::Firewalld_zone

Getting this error when I have purge_ports => on a zone

Found in file lib/puppet/type/firewalld_zone.rb puppet_services = Array.new, when it should perhaps be puppet_ports = Array.new?

I did change this myself, but got another new error appear...

IPSet support

It would be useful to be able to manage firewalld IPSets via this module.

Firewalld not reloading in 3.0

Is there anyway to force the firewall-cmd --reload

Here's what I have for a node:

firewalld_service { 'Allow postgresql':
ensure => 'present',
service => 'postgresql',
zone => 'public',
}

did I miss something easy in the docs? I thought I read that on any change a forced reload would get done, or something like that. I need at least a --reload done.

protocol cannot be set on rich rule

I try to create a rule that has the following form:

<rule family="ipv4">
  <destination address="224.0.0.18"/>
  <protocol value="ip"/>
  <accept/>
</rule>

However, the protocol parameter is not allowed outside a port hash.

Fails to modify existing zone on first run

I have the following setup:

dist/roles/manifests/firewall.pp:

class roles::firewall {
    include ::firewalld
}

hieradata/common.yaml:

firewalld::zones:
    internal:
        sources: ['10.0.0.0/8']
        purge_rich_rules: true
        purge_services: true
        purge_ports: true

The error I get at runtime is this:

Error: /Stage[main]/Firewalld/Firewalld_zone[internal]: Failed to generate additional resources using 'generate': Execution of '/bin/firewall-offline-cmd --zone internal --remove-service dhcpv6-client' returned 2: usage: see firewall-offline-cmd man page
Can't use lokkit options with other options.

Since I'm modifying the preexisting internal zone, it seems to be giving errors when first running this in offline mode. The second Puppet run fixes the issue, but there does seem to be an issue in the provider here.

Error with multiple ports in rich rules

The below yields Could not evaluate: no implicit conversion of String into Integer.

firewalld::rich_rules:
  'Allow some access':
    ensure: present
    zone: public
    source: '10.0.2.22/32'
    port:
      - port: 8400
        protocol: 'tcp'
      - port: 7937
        protocol: 'tcp'
    action: 'accept'

Can anyone where I went wrong with the ports?

Thanks

Simple rich rule gives warning, nothing happens

I want to add a simple rule to the firewalld on the puppet client but I keep getting the following messages

# Zone added
firewalld_rich_rule { 'Add XXX to trusted zone':
    ensure => present,
    zone   => 'trusted',
    source => 'XXX.XXX.XXX.XXX',
    action  => 'accept',
  }

# Messages on puppet agent --test
Info: Redefining firewalld_rich_rule in Puppet::Type
/opt/puppetlabs/puppet/cache/lib/puppet/type/firewalld_rich_rule.rb:101: warning: already initialized constant ELEMENTS
/opt/puppetlabs/puppet/cache/lib/puppet/type/firewalld_rich_rule.rb:101: warning: previous definition of ELEMENTS was here

And nothing seems to happen after that :S Can you help me out?

Regression 3.1.5: firewalld_rich_rule failes when firewalld is not running

When firewalld is not running when firewalld_rich_rule is applied, it failes with:

Firewalld_rich_rule[NAME]: Could not evaluate: Execution of '/bin/firewall-offline-cmd --zone ZONE --query-rich-rule rule family="ipv4" source address="0.0.0.0/0" service name="SERVICE" accept' returned 1: no

On the second run and when firewalld is already running, everything works ok.

Rewrite README to follow Puppet best practice template.

As noted in https://tickets.puppetlabs.com/browse/MODULES-2819 the README should follow as close to possible the official template provided at:

https://docs.puppet.com/puppet/latest/reference/modules_documentation.html#readme-template

Most of the existing content around types and providers would fit into the "Reference" section, with additional content such as "Module description", "setup", "usage" to be written.

Can't provide protocol value in rich_rules

Heya

I can't seem to be able to provide protocol value="" in rich rules as per this documentation here:

[https://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Protocol]

is that right? quite possible i've missed something though...!

Cheers

Could not autoload

I'm struggling with a problem:that seems to be related to pluginsync - any attempt to utilize the module ends with: Error 400 on SERVER: Could not autoload puppet/type/firewalld...

pluginsync is enabled on client:
[root@gra ~]# puppet agent --configprint pluginsync
true

...and also on master - i'm using other modules with plugins successfully.
tried 2 different clients CentOS 6.5/7.1.
puppet/lib/type directories contain 4 firewalld*.rb scripts on client as well as on server.

Any suggestions, I'm quite new to puppet?

Can't seem to run this first time

I get this on every puppet run:

Error: Failed to apply catalog: Command firewall_cmd is missing

a manual install of firewalld, start it and then a puppet run makes this issue disappear and move on, creating my firewall rules, even though i've declared

class { '::firewalld': } in my manifest (which by default should install, and start firewalld)

Anyone got any ideas?

Module does not handle invert=> true correctly

Description

When attempting to add a single exception for servers that need to have their firewalls opened up to the world, I attempted to use an invert rule for firewalld as firewalld lacks support for keywords like any as ip addresses. Every time the catalog is run on the client machines the firewalld rule toggles on and off.

The current version of the puppet-firewalld module we are using is 1.1.1.

Example Manifest

class company_firewall::compute_server {
    if $fqdn =~ /^(gu|co)\.it\.domain\.name$/ {
        # This class should only ever be applied to the campus compute servers like
        # guardian or colossus, NEVER apply this to a user's machine. They MUST use
        # a VPN connection.
        firewalld_rich_rule { 'Accept all connections from EVERYWHERE.':
            ensure  => present,
            source  => {
                    address => '1.1.1.1/32',
                    invert  => true,
                },
            zone    => 'public',
            action  => 'accept',
            require => Firewalld_Rich_Rule['Accept all connections from STAFF-IT-07'],
        }
    }
}

Results

[root@gu ~]# puppet agent -t
Warning: Local environment: "production" doesn't match server specified node environment "testing", switching agent to "testing".
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for lab7-1000012350
Info: Applying configuration version '1440024302'
Notice: /Stage[main]/company_firewall/Firewalld_rich_rule[rule family="ipv4" source NOT address="1.1.1.1/32" accept]/ensure: removed
Notice: Finished catalog run in 11.28 seconds

[root@gu ~]# puppet agent -t
Warning: Local environment: "production" doesn't match server specified node environment "testing", switching agent to "testing".
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for lab7-1000012350
Info: Applying configuration version '1440024359'
Notice: /Stage[main]/company_firewall::Compute_server/Firewalld_rich_rule[Accept all connections from EVERYWHERE.]/ensure: created
Info: /Stage[main]/company_firewall::Compute_server/Firewalld_rich_rule[Accept all connections from EVERYWHERE.]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 13.85 seconds

Current Workaround

I made a quick exception that made it so rich rules would not get purged if the fqdn matched a regex... This way the rule will not toggle... But it also will not clean up old rules, so we just have to manage those in an exec with an onlyif and a grep on firewall-cmd --zone=public --list-rich-rules.

    if $fqdn =~ /^(gu|co)\.it\.company\.name$/ {
        firewalld_zone { 'public':
            ensure           => 'present',
            purge_services   => true,
            before           => Class['company_firewall::core_services'],
        }
    } else {
        firewalld_zone { 'public':
            ensure           => 'present',
            purge_services   => true,
            purge_rich_rules => true,
            before           => Class['company_firewall::core_services'],
        }
    }

remove unnessesay firewall-config package

Can somebody explain the need for firewall-config?

firewalld modules reloads firewalld excessively

After some in depth testing I have found that if firewalld is restarted over and over again in a short period of time weird things start happening. The easiest to see issue is that DNS lookups start failing.

eg.. run 'firewall-cmd --reload' in a loop and also run 'puppet agent -t' in a loop.

while true;do firewall-cmd --reload; done
while true; do puppet agent -t; sleep 1; done

You will get errors like
Error: Could not send report: getaddrinfo: Name or service not known

I think the best solution will be to update all of the code doing reloads like custom_service and firewalld_service to common reloads reduce the number of restarts.

    exec { 'firewalld::custom_service::reload':
      path        =>'/usr/bin:/bin',
      command     => 'firewall-cmd --reload',
      refreshonly => true,
    }

    exec { 'firewalld::reload':
      path        =>'/usr/bin:/bin',
      command     => 'firewall-cmd --reload',
      refreshonly => true,
      require     => Exec['firewalld::custom_service::reload'],
    }

    Exec['firewalld::custom_service::reload'] -> Firewalld_service <| |>
    Service['firewalld'] -> Firewalld_zone <| |> ~> Exec['firewalld::reload']
    Service['firewalld'] -> Firewalld_rich_rule <| |> ~> Exec['firewalld::reload']
    Service['firewalld'] -> Firewalld_service <| |> ~> Exec['firewalld::reload']
    Service['firewalld'] -> Firewalld_port <| |> ~> Exec['firewalld::reload']

Error: Could not autoload puppet/type/firewalld_zone: undefined local variable or method `namevar' for Puppet::Type::Firewalld_port:Class

Updated from the previous GitHub version (1.1.1) to the newly-pushed Forge version (1.2.0) and received this error when running the agent:

Error: Could not autoload puppet/type/firewalld_zone: undefined local variable or method `namevar' for Puppet::Type::Firewalld_port:Class
Error: Could not retrieve catalog from remote server: Could not intern from text/pson: Could not autoload puppet/type/firewalld_zone: undefined local variable or method `namevar' for Puppet::Type::Firewalld_port:Class
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Reverting to the previous GitHub version cleared the issue.

Error when firewall-cmd is not yet available and purging direct rules/chains/passthroughs is turned on

I think this issue is similar to #96 but feel free to correct me if I'm wrong.

I'm using version 3.1.7 of puppet-firewalld on CentOS 7.2 with puppet agent version 4.8.0. The puppet master is a CentOS 6.8 box with version 4.4.0 of puppet.

When including the firewalld class and setting purge_direct_rules, purge_direct_chains, and/or purge_direct_passthroughs to true, there are puppet errors that occur.

manifest

 class { "firewalld":
     purge_direct_rules => true,
     purge_direct_chains => true,
     purge_direct_passthroughs => true,
  }

Initial run without firewalld installed yet:

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for server.example.com
Error: /Stage[main]/Firewalld/Firewalld_direct_purge[chain]: Failed to generate additional resources using 'generate': Command firewall_cmd is missing
Error: /Stage[main]/Firewalld/Firewalld_direct_purge[rule]: Failed to generate additional resources using 'generate': Command firewall_cmd is missing
Error: /Stage[main]/Firewalld/Firewalld_direct_purge[passthrough]: Failed to generate additional resources using 'generate': Command firewall_cmd is missing
Info: Applying configuration version '1479150712'
Notice: /Stage[main]/Firewalld/Package[firewalld]/ensure: created
Info: /Stage[main]/Firewalld/Package[firewalld]: Scheduling refresh of Service[firewalld]
Notice: /Stage[main]/Firewalld/Service[firewalld]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Firewalld/Service[firewalld]: Unscheduling refresh on Service[firewalld]
Notice: Applied catalog in 4.53 seconds

This would cause the initial run that installs firewalld to fail. It isn't a huge deal since subsequent runs will work, but we do have some things that trigger if there is an error in a puppet run. We'd like to purge rules so we can ensure output rules are being properly managed.

Thank you for a great module!

Allow non-port rules

Hi,

I am trying to allow VRRP traffic using your puppet module butt cannot seem to get it to work due the the port requirement:

firewalld_rich_rule { 'Accept VRRP traffic':
            ensure  => present,
            zone    => 'public',
            port    => { 'port' => , 'protocol' => 'vrrp' },
            action  => 'accept',
}

Is there a better way to do this or a value that the port will accept?

Thanks,
Simon

Attempt to redefine entity when using firewalld_port

Any idea what could be causing this error? I'm running puppet 4.7.0.

Error: Could not autoload puppet/type/firewalld_zone: Attempt to redefine entity 'http://puppet.com/2016.1/runtime/type/firewalld_port'. Originally set at file:/etc/puppetlabs/code/modules/firewalld/lib/puppet/type/firewalld_port.rb?line=3.

Error: Evaluation Error: Error while evaluating a Virtual Query, Could not autoload puppet/type/firewalld_zone: Attempt to redefine entity 'http://puppet.com/2016.1/runtime/type/firewalld_port'. Originally set at file:/etc/puppetlabs/code/modules/firewalld/lib/puppet/type/firewalld_port.rb?line=3. at /etc/puppetlabs/code/modules/firewalld/manifests/init.pp:93:29 on node r.local

I'm using firewalld_port in a bunch of other manifests and it works fine. Here is the invocation:

  firewalld_port { 'Port 80 for opencpu':
    ensure  => 'present',
    zone    => 'public',
    port   => 80,
    protocol   => 'tcp',
  }

I've tried different versions of puppet-firewalld, putting the firewalld_port in different manifests and tweaking the definition itself, but no luck so far.

Adding or removing services does not issue a reload

Attempted to add http as a service and noticed that the statements were not causing a reload similar to that of rich rules.

Merge hashes from multiple layer of hierarchy in hiera

It would be good to have hashes being merged when declared on multiple layer levels of hiera.

e.g:

:hierarchy:
  - "network/%{::networktype}"
  - "nodes/%{::trusted.certname}"
  - common

add "ZONE=" in concerned ifcg-* script

Hi,

if you don't use NetworkManager to manage your device, you have to add
"ZONE=my_new_firewalld_zone" in /etc/sysconfig/network-script/ifcg-* configuration file

Otherwise, it will NEVER NEVER work !

Don't forget to reload the configuration "systemct restart network".

Regards.

Issue with single quotes inside args parameter

firewalld::direct_rules: 
 log_drops:
    ensure: 'present'
    inet_protocol: 'ipv4'
    table: 'filter'
    chain: 'LOG_DROPS'
    priority: 0
    args: "-j LOG --log-prefix '# IPTABLES DROPPED: '"

Current result:
-j LOG --log-prefix ''"'"'#' IPTABLES DROPPED: ''"'"''

Expected result:
-j LOG --log-prefix '# IPTABLES DROPPED: ''

Hiera configuration examples seem to confuse zone with resource name

An example is:

firewalld::ports:
public:
ensure: present
port: 8080
protocol: 'tcp'

Here 'public' is the resource name. I've found that this works:

firewalld::ports:
tomcat:
zone: public
ensure: present
port: 8080
protocol: tcp
tomcats:
zone: public
ensure: present
port: 8443
protocol: tcp

... so the example should probably change to:

firewalld::ports:
'Open port 8080 in the public zone':
zone: public
ensure: present
port: 8080
protocol: 'tcp'

... to keep it aligned with the Puppet DSL example.

There are many instances of this in the documentation for the module.

Hiera support configurations

Please support Hiera configurations in the future. This would allow more easy configurations and the possibility to apply the rules to specific different Hiera hierarchies.

Add top-level class, zone sources and zone interfaces to the docs

I'll see if I can contribute some of these myself.

document usage of the ::firewalld class
document the source param for zones
document the interfaces param for zones

That's the stuff i've spotted which exists but isn't mentioned in the README, is there anything else?

changed behavior of "firewall-cmd --permanent --get-target --zone public" in new versions

Today I faced with idempotency issue.

if set target with % symbol

firewalld_zone { '***':
   ...
    target => '%%REJECT%%',
  }

firewall-cmd return value without %

#  firewalld version 4.3.2-8.1.el7_3
firewall-cmd --permanent --get-target --zone public
# REJECT

in previous version firewalld 3.9-14.el7
It returns correct value

firewall-cmd --permanent --get-target --zone public
%%REJECT%%

Now I use value without %

target => 'REJECT',

as in result it generate correct value

<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
  <short>Public</short>

but it looks like workaround.

Could you comment about this case?

Module should purge running configuration as well as permenant

Created zone with purge_ports => true

added port manually
firewall-cmd --zone=test --add-port=1234/tcp

Run puppet and expect it to remove the port as its not defined but it does not.

It will however work as expected when there is a change in state of a predefined port.(if any are defined)

If purge_ports => true, it should check on every run if there are changes to be made.

Cannot set masquerade in zone

Is it possible to set masquerade in zone using this module, I've not found any informatiom about that.

Example:

/usr/bin/firewall-cmd --permanent --zone=public --add-masquerade

As a workaround I'm doing this:

exec { 'firewalld_add_masquerade_public':
command => '/usr/bin/firewall-cmd --permanent --zone=public --add-masquerade',
unless => '/usr/bin/grep masquerade /etc/firewalld/zones/public.xml > /dev/null',
}

I need this to build a NAT Gateway.
I'm using CentOS 7.3

firewalld currently uses complete-reload this causes outages when updating the firewalld configuration

firewalld::reload should default to use --reload to prevent killing of active connections on live servers.

https://github.com/crayfishx/puppet-firewalld/blob/master/manifests/init.pp#L85

    exec { 'firewalld::reload':
      path        =>'/usr/bin:/bin',
      command     => 'firewall-cmd --reload',
      refreshonly => true,
    }

There should probably be a firewalld::complete-reload that can be called if necessary.

    exec { 'firewalld::complete-reload':
      path        =>'/usr/bin:/bin',
      command     => 'firewall-cmd --complete-reload',
      require        => Exec['firewalld::reload'],
      refreshonly => true,
    }

   --reload
       Reload firewall rules and keep state information. Current permanent
       configuration will become new runtime configuration, i.e. all
       runtime only changes done until reload are lost with reload if they
       have not been also in permanent configuration.

   --complete-reload
       Reload firewall completely, even netfilter kernel modules. This
       will most likely terminate active connections, because state
       information is lost. This option should only be used in case of
       severe firewall problems. For example if there are state
       information problems that no connection can be established with
       correct firewall rules.

firewalld/manifest/init.pp fails puppet parser validate

$ sudo puppet parser validate /etc/puppet/environments/production/modules/firewalld/manifests/init.pp

Error: Could not parse for environment production: Syntax error at 'Enum'; expected ')' at /etc/puppet/environments/production/modules/firewalld/manifests/init.pp:34

Add support for direct interface rules

In my work they've implemented direct rules and I would like to manage those with this module.

Example:
To enable only outgoing traffic on port 80:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP

Errors in syslog when puppet runs

On every puppet run I do where I included this module I see the following error in my syslog:
(I do manange some resources with this module)

dbus[797]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.264" (uid=0 pid=12807 comm="/usr/bin/python -Es /usr/sbin/firewalld --nofork -") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.30616" (uid=0 pid=29001 comm="/usr/bin/python -Es /usr/bin/firewall-cmd --perman")

firewalld_rich_rule not applied immediately (only in config)

When defining a firewalld_rich_rule in puppet, the rule is applied with "--permanent", which means it is ONLY part of the configuration and NOT live. This is not a expected behaviour, or is it ?

See man page of firewall-cmd:

   Permanent Options
       --permanent
           The permanent option --permanent can be used to set options permanently. These changes are not effective immediately, only after service restart/reload or system reboot. Without the --permanent
           option, a change will only be part of the runtime configuration. The --permanent option can not be used with all options.

           If you want to make a change in runtime and permanent configuration, use the same call with and without the--permanent option.

           The --permanent option can be optionally added to all options further down where it is supported.

Note:

          If you want to make a change in runtime and permanent configuration, use the same call with and without the--permanent option.

This is firewalld 0.3.9 on Centos 7

[vagrant@server ~]$ firewall-cmd -V
0.3.9
[vagrant@server ~]$ rpm -qa | grep firewalld
firewalld-0.3.9-14.el7.noarch

NAME_CONFLICT error when adding service

When using RHEL7, I get the following error when using your module:
Execution of '/bin/firewall-cmd --permanent --new-service xrdp' returned 26: Error: NAME_CONFLICT: xrdp
(/Stage[main]/Xrdp/Firewalld::Custom_service[XRDP service]/Firewalld_custom_service[xrdp]/ensure) change from absent to present failed: Execution of '/bin/firew..._CONFLICT: xrdp

Here is the pertinent puppet manifest to generate the error:

firewalld::custom_service{'XRDP service':
  short       => 'xrdp',
  description => 'RDP for Xorg',
  port        => [
                  {
                  'port'     => 3389,
                  'protocol' => 'tcp',
                  },
                  ],
}
firewalld_service { 'Allow XRDP from the public zone':
  ensure  => 'present',
  service => 'xrdp',
  zone    => 'public',
}

After some investigation, it seems like firewall-cmd --new-service xrdp will give the NAME_CONFLICT error if the service is already defined. This is problematic since I see no good way to query firewalld to see if the service is already present and NOT in a zone, but I think that I have found a potential work flow that goes as follows:

Add the service file in /etc/firewalld/services/
(optional) Use firewall-cmd --permanent --zone public --list-services to verify if the service exists in the desired zone and do nothing otherwise. Skip the remaining steps
reload firewalld, which adds the new service, then add the service to the zone, which returns success even if the service was already added

No such file to load

After upgrading to version 3.1.0, I receive this error when applying firewalld configuration on a puppet agent:

Puppet Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Could not autoload puppet/type/firewalld_zone: Could not autoload puppet/provider/firewalld_rich_rule/firewall_cmd: no such file to load -- puppet/provider/firewalld at /etc/puppetlabs/code/environments/development/modules/firewalld/manifests/init.pp:99:7 on node centos7

After some digging into Google and the code, updating puppet agent and server, reinstall the module, I found the correction to make:
Just modify in the providers the require statement from:

require 'puppet/provider/firewalld'

to:

require File.dirname(__FILE__).concat('/../firewalld.rb')

With this correction, the puppet firewalld configuration apply correctly.

Here is the diff for the providers:

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_chain/firewall_cmd.rb]/content:
--- /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_chain/firewall_cmd.rb     2016-08-16 17:26:29.656882277 +0200
+++ /tmp/puppet-file20160816-16379-5xe6ct       2016-08-16 17:30:50.014486783 +0200
@@ -1,5 +1,5 @@
 require 'puppet'
-require 'puppet/provider/firewalld'
+require File.dirname(__FILE__).concat('/../firewalld.rb')

 Puppet::Type.type(:firewalld_direct_chain).provide(:firewall_cmd, :parent => Puppet::Provider::Firewalld) do
   desc "Provider for managing firewalld direct chains using firewall-cmd"

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_passthrough/firewall_cmd.rb]/content:
--- /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_passthrough/firewall_cmd.rb       2016-08-16 15:53:20.913345322 +0200
+++ /tmp/puppet-file20160816-16379-l0y19i       2016-08-16 17:30:50.270489318 +0200
@@ -1,5 +1,4 @@
 require 'puppet'
-require 'puppet/provider/firewalld'
+require File.dirname(__FILE__).concat('/../firewalld.rb')

 Puppet::Type.type(:firewalld_direct_passthrough).provide(

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_purge/firewall_cmd.rb]/content:
--- /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_purge/firewall_cmd.rb     2016-08-16 15:53:21.181347408 +0200
+++ /tmp/puppet-file20160816-16379-1md7lfh      2016-08-16 17:30:50.492491513 +0200
@@ -1,5 +1,4 @@
 require 'puppet'
-require 'puppet/provider/firewalld'
+require File.dirname(__FILE__).concat('/../firewalld.rb')

 Puppet::Type.type(:firewalld_direct_purge).provide(

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_rule/firewall_cmd.rb]/content:
--- /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_rule/firewall_cmd.rb      2016-08-16 15:53:21.442349438 +0200
+++ /tmp/puppet-file20160816-16379-1flplrq      2016-08-16 17:30:50.715493722 +0200
@@ -1,5 +1,4 @@
 require 'puppet'
-require 'puppet/provider/firewalld'
+require File.dirname(__FILE__).concat('/../firewalld.rb')

 Puppet::Type.type(:firewalld_direct_rule).provide(

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_port/firewall_cmd.rb]/content:
--- /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_port/firewall_cmd.rb     2016-08-16 15:53:21.716351574 +0200
+++ /tmp/puppet-file20160816-16379-1fbz56r      2016-08-16 17:30:51.172498245 +0200
@@ -1,5 +1,4 @@
 require 'puppet'
-require 'puppet/provider/firewalld'
+require File.dirname(__FILE__).concat('/../firewalld.rb')

 Puppet::Type.type(:firewalld_port).provide(

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_rich_rule/firewall_cmd.rb]/content:
--- /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_rich_rule/firewall_cmd.rb        2016-08-16 15:53:22.007353840 +0200
+++ /tmp/puppet-file20160816-16379-1g0yoph      2016-08-16 17:30:51.414500643 +0200
@@ -1,5 +1,4 @@
 require 'puppet'
-require 'puppet/provider/firewalld'
+require File.dirname(__FILE__).concat('/../firewalld.rb')

 Puppet::Type.type(:firewalld_rich_rule).provide(

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_service/firewall_cmd.rb]/content:
--- /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_service/firewall_cmd.rb  2016-08-16 15:53:22.267355863 +0200
+++ /tmp/puppet-file20160816-16379-1forbol      2016-08-16 17:30:51.638502858 +0200
@@ -1,5 +1,4 @@
 require 'puppet'
-require 'puppet/provider/firewalld'
+require File.dirname(__FILE__).concat('/../firewalld.rb')

 Puppet::Type.type(:firewalld_service).provide(

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_zone/firewall_cmd.rb]/content:
--- /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_zone/firewall_cmd.rb     2016-08-16 15:53:22.524357864 +0200
+++ /tmp/puppet-file20160816-16379-13wpkzv      2016-08-16 17:30:51.863505088 +0200
@@ -1,6 +1,5 @@
 require 'puppet'
 require 'puppet/type'
-require 'puppet/provider/firewalld'
+require File.dirname(__FILE__).concat('/../firewalld.rb')

Best regards,
Bénoni

firewalld errors when switching from iptables

Our Redhat 7 servers were setup using iptables. I'm trying switch them to firewalld.

The puppet run generates these failures:
Error: /Stage[main]/Firewalld/Firewalld_direct_rule[000 INPUT allow related and established]: Could not evaluate: Execution of '/bin/firewall-offline-cmd --direct --query-rule ipv4 filter INPUT 0 -p all --state RELATED,ESTABLISHED -m comment --comment 000 INPUT allow related and established -j ACCEPT' returned 1: no
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Dependency Firewalld_direct_rule[000 INPUT allow related and established] has failures: true
Warning: /Stage[main]/Firewalld/Exec[firewalld::reload]: Skipping because of failed dependencies
Notice: /Stage[main]/Firewalld/Exec[firewalld::complete-reload]: Dependency Firewalld_direct_rule[000 INPUT allow related and established] has failures: true
Warning: /Stage[main]/Firewalld/Exec[firewalld::complete-reload]: Skipping because of failed dependencies

Status of firewalld is:
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-02-09 14:24:15 PST; 22min ago
Main PID: 3513 (firewalld)
CGroup: /system.slice/firewalld.service
└─3513 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Feb 09 14:24:15 xnvbase02067 systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 09 14:24:15 xnvbase02067 systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 09 14:24:16 xnvbase02067 firewalld[3513]: 2017-02-09 14:24:16 ERROR: INVALID_ZONE

Restarting firewalld correct all errors.
Starting firewalld before the first puppet run corrects the issue as well.

My puppet code:
class { 'firewalld':
purge_direct_rules => true,
}

My hiera data:
firewalld::direct_rules:
'000 INPUT allow related and established':
ensure: 'present'
table: 'filter'
chain: 'INPUT'
priority: 0
args: "-p all --state RELATED,ESTABLISHED -m comment --comment '000 INPUT allow related and established' -j ACCEPT"

Feature: Allow to define a port range for custom_services

It would be nice to have :-)

firewalld::custom_services:
xy-application:
short: 'xy-application'
description: 'XY Application'
port:
- port: 5000:5020
protocol: 'tcp'

Then it will detect there is a ":" or "-" in the port variable and create the xml service accordingly.

Direct rules does not apply

I try to use the direct rule from the Smart Class Parameter. For better understanding, I use the direct rule you have in the documentation.

The puppet apply goes well but the result is not as expected.
Indeed, the direct.xml file is well created but the content is not a valid firewalld direct rule:

<rule priority="1" table="filter" ipv="ipv4" chain="OUTPUT">'-p tcp --dport=22 -j ACCEPT'</rule>

And the running firewalld rulebase does not contains the direct rule:

firewall-cmd --direct --query-rule ipv4 filter OUTPUT 1 -p tcp --dport=22 -j ACCEPT
no

The mistake is the single quote around the content of the rule (the arg parameter from the class parameter).
If you try to run the same rule without the '--permanent' parameter on CLI, you have this following error:

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 '-p tcp --dport=22 -j ACCEPT' 
Error: COMMAND_FAILED: '/sbin/iptables -w2 -t filter -I OUTPUT_direct 1 -p tcp --dport=22 -j ACCEPT' failed: iptables v1.4.21: unknown protocol " tcp --dport=22 -j accept" specified

To resolve this issue you need to split the rule into each element of it as parameter to the command.
Here is the patch to apply for the direct rule to work as expected:

Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_rule/firewall_cmd.rb]/content:
--- /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewalld_direct_rule/firewall_cmd.rb      2016-08-12 16:59:25.044263250 +0200
+++ /tmp/puppet-file20160812-29029-wgq68d       2016-08-12 17:07:06.153148189 +0200
@@ -30,7 +30,7 @@
            @resource[:table],
            @resource[:chain],
            @resource[:priority],
-           @resource[:args],
+           @resource[:args].split(" "),
     ]
   end

And the result works as expected.
The direct.xml file contains the correct rule:

<rule priority="1" table="filter" ipv="ipv4" chain="OUTPUT">-p tcp --dport=22 -j ACCEPT</rule>

And with the running firewalld rulebase, the query gives the correct result:

firewall-cmd --direct --query-rule ipv4 filter OUTPUT 1 -p tcp --dport=22 -j ACCEPT
yes

FYI:
OS of the puppet client : CentOS 7.2
Puppet client version: 4.5.2
puppet-firewalld version: 3.0.1

Best regards,
Bénoni.

Enhancement: --set-default-zone

It would be extra convenient if one could configure the default zone easily via this module.

Right now I've added this to wrapper code:

exec { "firewalld: set default zone to "${zone}"":
command => "firewall-cmd --set-default-zone ${zone}",
path => '/bin',
logoutput => false,
unless => "firewall-cmd --get-default-zone | grep ${zone}",
#Enforces ordering, but also checks/sets after every reload...
subscribe => Exec['firewalld::reload'],
}

purge_ports alternatively removes and adds port again

Currently the module alternates between removing a port and adding a port when running. Services are not affected. Also, I think this only affects custom zones.

Workaround: use firewalld::custom_service to define a custom service and and apply the service.

puppet module list|grep crayfishx-firewalld
├── crayfishx-firewalld (v2.1.0)

[root@puppetdev01 ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for puppetdev01.int.m-box.de
Info: Applying configuration version '1453748440'
Notice: /Stage[main]/Mb_linux::Firewall/Firewalld_port[mboxinternal-9090-tcp-purge]/ensure: removed
Notice: Finished catalog run in 7.93 seconds
[root@puppetdev01 ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for puppetdev01.int.m-box.de
Info: Applying configuration version '1453748543'
Notice: /Stage[main]/Mb_linux::Firewall/Firewalld_port[Allow Cockpit service in internal zone]/ensure: created
Notice: Finished catalog run in 7.76 seconds
[root@puppetdev01 ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for puppetdev01.int.m-box.de
Info: Applying configuration version '1453748563'
Notice: /Stage[main]/Mb_linux::Firewall/Firewalld_port[mboxinternal-9090-tcp-purge]/ensure: removed
Notice: Finished catalog run in 8.02 seconds

commit 4b0524d09934fa9a3a008811315db3174d4c4e18
Author: Craig Dunn <[email protected]>
Date:   Wed Nov 30 12:15:03 2016 +0100

    initial change to enable port ranges (Closes #107)

diff --git a/templates/service.xml.erb b/templates/service.xml.erb
index ac62ff7..50691e0 100644
--- a/templates/service.xml.erb
+++ b/templates/service.xml.erb
@@ -7,7 +7,10 @@

     <%- if @port -%>
     <%- @port.each do |i| -%>
-    <port<% if i['protocol'] -%> protocol="<%= i['protocol'] %>"<% end -%><% if i['port'] -%> port="<%= i['port'] %>"<% end -%> />
+      <%- range = i['port'].split(/:/).map { |p| p.to_i } -%>
+      <%- (range[0]..range[1] || range[0]).each do |p| -%>
+    <port<% if i['protocol'] -%> protocol="<%= i['protocol'] %>"<% end -%> port="<%= p %>" />
+      <%- end -%>
     <%- end -%>

In case port is a list of Integers (not checked in code), the statement failes with:

Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, Failed to parse template firewalld/service.xml.erb:
         Filepath: /opt/provision/modules/firewalld/templates/service.xml.erb
         Line: 10
         Detail: undefined method `split' for 443:Fixnum
at /opt/provision/modules/firewalld/manifests/custom_service.pp:66:16

voxpupuli / puppet-firewalld Goto Github PK

puppet-firewalld's Introduction

Module: firewalld

Description

Compatibility

Usage

Parameters

Resource Types

Firewalld Zones

Parameters (Firewalld Zones)

Firewalld policies

Parameters (Firewalld policies)

Firewalld Rich Rules

Parameters (Firewalld Rich Rules)

Firewalld Custom Service

Parameters (Firewalld Custom Service)

Firewalld Service

Parameters (Firewalld Service)

Firewalld IPsets

Parameters (Firewalld IPsets)

Firewalld Ports

Parameters (Firewalld Ports)

Firewalld Direct Chains

Example

Example in hiera

Parameters (Firewalld Direct Chains)

Firewalld Direct Rules

Example (Firewalld Direct Rules)

Example in hiera (Firewalld Direct Rules)

Parameters (Firewalld Direct Rules)

Firewalld Direct Passthroughs

Example (Firewalld Direct Passthroughs)

Example in hiera (Firewalld Direct Passthroughs)

Parameters (Firewalld Direct Passthroushs)

Testing

Unit Testing

Acceptance Testing

Author

puppet-firewalld's People

Contributors

Stargazers

Watchers

Forkers

puppet-firewalld's Issues

Normal firewalld zone .xml file

Description

Example Manifest

Results

Current Workaround

Recommend Projects

Recommend Topics

Recommend Org

Normal firewalld zone `.xml` file