Comments (11)
An easier (and more backwards compatible) fix will be just to reintroduce the chaining dependencies from init.pp that we dropped in 3.0.0, I can do that tomorrow as it's a minor bug fix
from puppet-firewalld.
After manually doing a firewalld restart (yes, I even did the full restart)... I see the entries via iptables -L -n, but still can't connect. I'm comparing with our reference (non-puppeted) box and iptables -L -n matches exactly and zones/public.xml look the same.... sigh... but the reference box firewall allows the connection, and our puppeted box does not (sigh). We'll keep looking. But still, didn't seem to do the reload on its own, we forced it.
from puppet-firewalld.
What I have noticed is that the reload isnt enough. I created a service with this puppet module and the config shows up in /etc/firewalld/service/"name of service".xml . At that point I can do a reload or restart and the config still wont take affect. I have to run a
firewall-cmd --permanent --add-service="name of service"
firewall-cmd --reload
in order for the config to actually go into effect.
from puppet-firewalld.
Are you using the latest version of the module? I'm using RHEL7 and I don't have any issues.
The code here shows that it's doing a --permanent and a reload afterwards, so you should not have issues.
from puppet-firewalld.
In testing the latest version 3.0.1 I have been running into this issue with rich rules as well.
[root@blingall-72-2 firewalld]# firewall-cmd --list-all
public (default, active)
interfaces: enp0s3
sources:
services:
ports: 5555/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept
rule family="ipv4" source address="10.50.55.0/23" accept
rule family="ipv4" source address="10.50.50.0/16" service name="rpc-bind" accept
rule family="ipv4" source address="192.168.0.0/16" service name="ssh" accept
rule family="ipv4" source address="10.50.50.0/16" service name="ssh" accept
[root@blingall-72-2 firewalld]# puppet apply --parser future -e 'include lab_roles::lab_machine'
Notice: Compiled catalog for blingall-72-2.local in environment production in 2.40 seconds
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from campus - tcp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from off campus - udp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from campus - udp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from off campus - tcp]/ensure: created
Notice: Finished catalog run in 10.63 seconds
[root@blingall-72-2 firewalld]# firewall-cmd --list-all
public (default, active)
interfaces: enp0s3
sources:
services:
ports: 5555/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept
rule family="ipv4" source address="10.50.55.0/23" accept
rule family="ipv4" source address="10.50.50.0/16" service name="rpc-bind" accept
rule family="ipv4" source address="192.168.0.0/16" service name="ssh" accept
rule family="ipv4" source address="10.50.50.0/16" service name="ssh" accept
[root@blingall-72-2 firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<rule family="ipv4">
<source address="10.0.0.0/8"/>
<service name="ssh"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="1025-65535"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.50.50.0/16"/>
<port protocol="tcp" port="1025-65535"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.0.0/16"/>
<service name="ssh"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.50.50.0/16"/>
<port protocol="udp" port="1025-65535"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="udp" port="1025-65535"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.50.50.0/16"/>
<service name="ssh"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.50.55.0/23"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.50.50.0/16"/>
<service name="rpc-bind"/>
<accept/>
</rule>
</zone>
Once I issue firewall-cmd --reload
the firewall rules are applied.
[root@blingall-72-2 firewalld]# cat /etc/redhat-release
Red Hat Enterprise Linux Workstation release 7.2 (Maipo)
from puppet-firewalld.
@BrandonIngalls are you sure you are including the firewall class (include firewalld
) or are you just defining firewalld_zone resources from the profile without the base class included? If firewalld is included it should farm out to the exec to reload the firewall upon change....
from puppet-firewalld.
We do have a problem here, we used to do collector syntax chaining to notify the exec to reload firewalld but now that notify is only valid for resources declared from the class (eg from hiera). The short term solution is to make sure you notify Exec['firewalld::reload']
from the resource declaration. I think the best long term fix is to use the autonotify feature in the firewalld_service type (this I can test tomorrow), that would only be valid for puppet 4.0+ though
from puppet-firewalld.
@BrandonIngalls does #70 solve this issue for you?
from puppet-firewalld.
I've changed the topic of this issue to reflect the latest discussion, since the older posts were slightly different and fixed in 2.2
from puppet-firewalld.
@crayfishx PR #70 does resolve this issue for me.
[root@puppet-firewalld-test firewalld-test]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@puppet-firewalld-test firewalld-test]# puppet apply test1.pp
Notice: Compiled catalog for puppet-firewalld-test.local in environment production in 0.91 seconds
Notice: /Stage[main]/Main/Firewalld_rich_rule[Allow IT Access to ALL]/ensure: created
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 2.55 seconds
[root@puppet-firewalld-test firewalld-test]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.50.55.0/24" accept
from puppet-firewalld.
Released in 3.1.0
from puppet-firewalld.
Related Issues (20)
- firewalld_rich_rule needs to autorequire firewalld_custom_service on `service`
- firewalld_rich_rule should not permit both masqerade true and action parameters
- enable ping/icmp for ipv6? HOT 1
- [Feature] Validate zone sources arguments (only support IP addresses)
- [4.4.0] AllowZoneDrifting must be igored on RHEL9
- Upgrade compatibility to <8.0.0? HOT 1
- Rich rule purging isn't idempotent, or isn't saving, or similar HOT 6
- [4.5.1] add support for Puppet 8
- Ignore some rules not defined in puppet e.g, Fail2ban
- Dependency Problem - puppetlabs-stdlib HOT 1
- add support for debian based OS
- Proposal: Archive this module HOT 1
- [4.5.1] detect and filter overlapped IP's on firewalld_ipset HOT 6
- [5.0.0] icmp_block_inversion setting for zone is unkown. HOT 3
- firewalld::zone purge_ports not purging unmanaged by puppet permanent ports
- firewalld_zone doesn't autorequire consumed firewalld_ipset elements
- Server Error: no parameter named 'icmp_block_inversion' HOT 3
- Firewalld rich rules purged every time when priority enabled HOT 1
- List more autorequired resources in firewalld_rich_rule doc (and readme)
- Add a zone option to disable/enable interzone forwarding
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-firewalld.