Comments (6)
crayfishx
commented on June 26, 2024
Are you including the firewalld base class? The module configures things in permenant mode so a restart is required to make changes active, though if you are including the firewalld base class these dependencies should already be set up for you
from puppet-firewalld.
rgill3003
commented on June 26, 2024
I do yes - above the new firewalld zone config i've got:
class { '::firewalld': }
like this:
class { '::firewalld': }
firewalld_zone { 'newzone':
ensure => 'present',
target => '%%REJECT%%',
purge_rich_rules => true,
purge_services => true,
purge_ports => true,
interfaces => [ eth0 ],
}
from puppet-firewalld.
crayfishx
commented on June 26, 2024
Can you paste the output of the puppet run when it first sets up the zone? It should restart the firewalld service for you
from puppet-firewalld.
rgill3003
commented on June 26, 2024
It does do it's job on first run..........output below with lots of obfuscated internal ip addresses and names:
puppet agent -tv
Info: Using configured environment 'development'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for <removed>
Info: Applying configuration version 'ae90abfe015a2b88f8bfd3496d3e33aec725e4ed'
Notice: /Stage[main]/Firewalld/Package[firewalld]/ensure: created
Info: /Stage[main]/Firewalld/Package[firewalld]: Scheduling refresh of Service[firewalld]
Notice: /Stage[main]/Firewalld/Service[firewalld]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Firewalld/Service[firewalld]: Unscheduling refresh on Service[firewalld]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_zone[custom]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_zone[allowed]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_service[Add SSH to custom zone]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_service[Add SSH to custom zone]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from anywhere]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from anywhere]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld::Custom_service[nrpe custom service]/File[/etc/firewalld/services/customservice.xml]/ensure: defined content as '{md5}92d7eb3544bca905b3d9a2452fb7f504'
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld::Custom_service[service custom service]/File[/etc/firewalld/services/custom.xml]: Scheduling refresh of Exec[firewalld::custom_service::reload-service custom service]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld::Custom_service[nrpe custom service]/Exec[firewalld::custom_service::reload-service custom service]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_service[Add service to custom zone]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_service[Add service to custom zone]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept service from monitoring server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept service from monitoring server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept service from monitoring server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept service from monitoring server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Autosys/Firewalld::Custom_service[autosys]/File[/etc/firewalld/services/autosys.xml]/ensure: defined content as '{md5}4e1bebe6dfeef32be1b4e4a019d356d3'
Info: /Stage[main]/Profiles::Autosys/Firewalld::Custom_service[autosys]/File[/etc/firewalld/services/autosys.xml]: Scheduling refresh of Exec[firewalld::custom_service::reload-autosys]
Notice: /Stage[main]/Profiles::Autosys/Firewalld::Custom_service[service]/Exec[firewalld::custom_service::reload-autosys]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Profiles::Autosys/Firewalld_service[Add service Ports to Zone]/ensure: created
Info: /Stage[main]/Profiles::Autosys/Firewalld_service[Add service Ports to Zone]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from [ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service2 from ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Apache::Firewalld/Firewalld::Custom_service[service]/File[/etc/firewalld/services/service.xml]/ensure: defined content as '{md5}2476179fcc5713a16c9e8cf79819a105'
Info: /Stage[main]/Profiles::Apache::Firewalld/Firewalld::Custom_service[apache]/File[/etc/firewalld/services/service.xml]: Scheduling refresh of Exec[firewalld::custom_service::reload-service]
Notice: /Stage[main]/Profiles::Apache::Firewalld/Firewalld::Custom_service[<service>]/Exec[firewalld::custom_service::reload-apache]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Profiles::Apache::Firewalld/Firewalld_service[Add <service> Ports to Zone]/ensure: created
Info: /Stage[main]/Profiles::Apache::Firewalld/Firewalld_service[Add <service> Ports to Zone]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Apache::Firewalld/Firewalld_rich_rule[Rich Rule For <service> Access from everywhere]/ensure: created
Info: /Stage[main]/Profiles::Apache::Firewalld/Firewalld_rich_rule[Rich Rule For <service> Access from everywhere]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 16 events
Notice: Applied catalog in 50.46 seconds
# firewall-cmd --get-active-zones
customzone
interfaces: eth0
So far so good....puppet does it's job....but reboot the server and:
# shutdown -r now
Connection to <agentname> closed by remote host.
Connection to <agentname> closed.
# ssh <agentname>
# firewall-cmd --get-active-zones
public #### (BUT I HAVEN'T CONFIGURED A PUBLIC ZONE HANCE NOTHING WORKS!!)
interfaces: eth0 eth1
[root@whyluaap115 ~]# service firewalld restart
Redirecting to /bin/systemctl restart firewalld.service
[root@whyluaap115 ~]# firewall-cmd --get-active-zones
customzone #### (THAT'S BETTER!)
interfaces: eth0
To be honest I'm emailing you but I'm veering towards it being more a problem for redhat.
from puppet-firewalld.
crayfishx
commented on June 26, 2024
@rgill3003 Any update on this? It sounds like a strange Redhat issue but I don't want to close this ticket without a bit more info....
thx
from puppet-firewalld.
zerodecimal
commented on June 26, 2024
Just stumbled across this issue... I think this discussion may be helpful here. Although the firewalld man page states that firewalld tries to change the ZONE setting in the /etc/sysconfig/network-scripts/ifcfg- file, it does not appear to be doing so. It may be a bug in that program, but you may still be able to account for it in your module if you think it's a good idea.
from puppet-firewalld.
Related Issues (20)
- Firewalld module support for puppet 7.x HOT 3
- RHEL 8 - Error: COMMAND_FAILED: 'python-nftables' failed HOT 12
- FEATURE REQUEST: Hiera support for firewalld_custom_services
- firewalld_rich_rule needs to autorequire firewalld_custom_service on `service`
- firewalld_rich_rule should not permit both masqerade true and action parameters
- enable ping/icmp for ipv6? HOT 1
- [Feature] Validate zone sources arguments (only support IP addresses)
- [4.4.0] AllowZoneDrifting must be igored on RHEL9
- Upgrade compatibility to <8.0.0? HOT 1
- Rich rule purging isn't idempotent, or isn't saving, or similar HOT 6
- [4.5.1] add support for Puppet 8
- Ignore some rules not defined in puppet e.g, Fail2ban
- Dependency Problem - puppetlabs-stdlib HOT 1
- add support for debian based OS
- Proposal: Archive this module HOT 1
- [4.5.1] detect and filter overlapped IP's on firewalld_ipset HOT 6
- [5.0.0] icmp_block_inversion setting for zone is unkown. HOT 3
- firewalld::zone purge_ports not purging unmanaged by puppet permanent ports
- firewalld_zone doesn't autorequire consumed firewalld_ipset elements
- Server Error: no parameter named 'icmp_block_inversion' HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-firewalld.