Comments (6)
Are you including the firewalld base class? The module configures things in permenant mode so a restart is required to make changes active, though if you are including the firewalld base class these dependencies should already be set up for you
from puppet-firewalld.
I do yes - above the new firewalld zone config i've got:
class { '::firewalld': }
like this:
class { '::firewalld': }
firewalld_zone { 'newzone':
ensure => 'present',
target => '%%REJECT%%',
purge_rich_rules => true,
purge_services => true,
purge_ports => true,
interfaces => [ eth0 ],
}
from puppet-firewalld.
Can you paste the output of the puppet run when it first sets up the zone? It should restart the firewalld service for you
from puppet-firewalld.
It does do it's job on first run..........output below with lots of obfuscated internal ip addresses and names:
puppet agent -tv
Info: Using configured environment 'development'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for <removed>
Info: Applying configuration version 'ae90abfe015a2b88f8bfd3496d3e33aec725e4ed'
Notice: /Stage[main]/Firewalld/Package[firewalld]/ensure: created
Info: /Stage[main]/Firewalld/Package[firewalld]: Scheduling refresh of Service[firewalld]
Notice: /Stage[main]/Firewalld/Service[firewalld]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Firewalld/Service[firewalld]: Unscheduling refresh on Service[firewalld]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_zone[custom]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_zone[allowed]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_service[Add SSH to custom zone]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_service[Add SSH to custom zone]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from anywhere]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from anywhere]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept something from server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld::Custom_service[nrpe custom service]/File[/etc/firewalld/services/customservice.xml]/ensure: defined content as '{md5}92d7eb3544bca905b3d9a2452fb7f504'
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld::Custom_service[service custom service]/File[/etc/firewalld/services/custom.xml]: Scheduling refresh of Exec[firewalld::custom_service::reload-service custom service]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld::Custom_service[nrpe custom service]/Exec[firewalld::custom_service::reload-service custom service]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_service[Add service to custom zone]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_service[Add service to custom zone]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept service from monitoring server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept service from monitoring server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept service from monitoring server ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Base::Hardening::Firewalld/Firewalld_rich_rule[Accept service from monitoring server ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Autosys/Firewalld::Custom_service[autosys]/File[/etc/firewalld/services/autosys.xml]/ensure: defined content as '{md5}4e1bebe6dfeef32be1b4e4a019d356d3'
Info: /Stage[main]/Profiles::Autosys/Firewalld::Custom_service[autosys]/File[/etc/firewalld/services/autosys.xml]: Scheduling refresh of Exec[firewalld::custom_service::reload-autosys]
Notice: /Stage[main]/Profiles::Autosys/Firewalld::Custom_service[service]/Exec[firewalld::custom_service::reload-autosys]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Profiles::Autosys/Firewalld_service[Add service Ports to Zone]/ensure: created
Info: /Stage[main]/Profiles::Autosys/Firewalld_service[Add service Ports to Zone]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from [ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service from ipaddress]/ensure: created
Info: /Stage[main]/Profiles::Autosys/Firewalld_rich_rule[Rich Rule For service2 from ipaddress]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Apache::Firewalld/Firewalld::Custom_service[service]/File[/etc/firewalld/services/service.xml]/ensure: defined content as '{md5}2476179fcc5713a16c9e8cf79819a105'
Info: /Stage[main]/Profiles::Apache::Firewalld/Firewalld::Custom_service[apache]/File[/etc/firewalld/services/service.xml]: Scheduling refresh of Exec[firewalld::custom_service::reload-service]
Notice: /Stage[main]/Profiles::Apache::Firewalld/Firewalld::Custom_service[<service>]/Exec[firewalld::custom_service::reload-apache]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Profiles::Apache::Firewalld/Firewalld_service[Add <service> Ports to Zone]/ensure: created
Info: /Stage[main]/Profiles::Apache::Firewalld/Firewalld_service[Add <service> Ports to Zone]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profiles::Apache::Firewalld/Firewalld_rich_rule[Rich Rule For <service> Access from everywhere]/ensure: created
Info: /Stage[main]/Profiles::Apache::Firewalld/Firewalld_rich_rule[Rich Rule For <service> Access from everywhere]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 16 events
Notice: Applied catalog in 50.46 seconds
# firewall-cmd --get-active-zones
customzone
interfaces: eth0
So far so good....puppet does it's job....but reboot the server and:
# shutdown -r now
Connection to <agentname> closed by remote host.
Connection to <agentname> closed.
# ssh <agentname>
# firewall-cmd --get-active-zones
public #### (BUT I HAVEN'T CONFIGURED A PUBLIC ZONE HANCE NOTHING WORKS!!)
interfaces: eth0 eth1
[root@whyluaap115 ~]# service firewalld restart
Redirecting to /bin/systemctl restart firewalld.service
[root@whyluaap115 ~]# firewall-cmd --get-active-zones
customzone #### (THAT'S BETTER!)
interfaces: eth0
To be honest I'm emailing you but I'm veering towards it being more a problem for redhat.
from puppet-firewalld.
@rgill3003 Any update on this? It sounds like a strange Redhat issue but I don't want to close this ticket without a bit more info....
thx
from puppet-firewalld.
Just stumbled across this issue... I think this discussion may be helpful here. Although the firewalld man page states that firewalld tries to change the ZONE setting in the /etc/sysconfig/network-scripts/ifcfg- file, it does not appear to be doing so. It may be a bug in that program, but you may still be able to account for it in your module if you think it's a good idea.
from puppet-firewalld.
Related Issues (20)
- Firewalld module support for puppet 7.x HOT 3
- RHEL 8 - Error: COMMAND_FAILED: 'python-nftables' failed HOT 12
- FEATURE REQUEST: Hiera support for firewalld_custom_services
- firewalld_rich_rule needs to autorequire firewalld_custom_service on `service`
- firewalld_rich_rule should not permit both masqerade true and action parameters
- enable ping/icmp for ipv6? HOT 1
- [Feature] Validate zone sources arguments (only support IP addresses)
- [4.4.0] AllowZoneDrifting must be igored on RHEL9
- Upgrade compatibility to <8.0.0? HOT 1
- Rich rule purging isn't idempotent, or isn't saving, or similar HOT 6
- [4.5.1] add support for Puppet 8
- Ignore some rules not defined in puppet e.g, Fail2ban
- Dependency Problem - puppetlabs-stdlib HOT 1
- add support for debian based OS
- Proposal: Archive this module HOT 1
- [4.5.1] detect and filter overlapped IP's on firewalld_ipset HOT 6
- [5.0.0] icmp_block_inversion setting for zone is unkown. HOT 3
- firewalld::zone purge_ports not purging unmanaged by puppet permanent ports
- firewalld_zone doesn't autorequire consumed firewalld_ipset elements
- Server Error: no parameter named 'icmp_block_inversion' HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-firewalld.