Git Product home page Git Product logo

Comments (11)

crayfishx avatar crayfishx commented on September 27, 2024 1

An easier (and more backwards compatible) fix will be just to reintroduce the chaining dependencies from init.pp that we dropped in 3.0.0, I can do that tomorrow as it's a minor bug fix

from puppet-firewalld.

ntlug avatar ntlug commented on September 27, 2024

After manually doing a firewalld restart (yes, I even did the full restart)... I see the entries via iptables -L -n, but still can't connect. I'm comparing with our reference (non-puppeted) box and iptables -L -n matches exactly and zones/public.xml look the same.... sigh... but the reference box firewall allows the connection, and our puppeted box does not (sigh). We'll keep looking. But still, didn't seem to do the reload on its own, we forced it.

from puppet-firewalld.

allen00se avatar allen00se commented on September 27, 2024

What I have noticed is that the reload isnt enough. I created a service with this puppet module and the config shows up in /etc/firewalld/service/"name of service".xml . At that point I can do a reload or restart and the config still wont take affect. I have to run a

firewall-cmd --permanent --add-service="name of service"
firewall-cmd --reload

in order for the config to actually go into effect.

from puppet-firewalld.

gothicx avatar gothicx commented on September 27, 2024

Are you using the latest version of the module? I'm using RHEL7 and I don't have any issues.

https://github.com/gothicx/puppet-firewalld/blob/master/lib/puppet/provider/firewalld_service/firewall_cmd.rb

The code here shows that it's doing a --permanent and a reload afterwards, so you should not have issues.

from puppet-firewalld.

BrandonIngalls avatar BrandonIngalls commented on September 27, 2024

In testing the latest version 3.0.1 I have been running into this issue with rich rules as well.

[root@blingall-72-2 firewalld]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: 
  ports: 5555/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept
        rule family="ipv4" source address="10.50.55.0/23" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="rpc-bind" accept
        rule family="ipv4" source address="192.168.0.0/16" service name="ssh" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="ssh" accept

[root@blingall-72-2 firewalld]# puppet apply --parser future -e 'include lab_roles::lab_machine'
Notice: Compiled catalog for blingall-72-2.local in environment production in 2.40 seconds
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from campus - tcp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from off campus - udp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from campus - udp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from off campus - tcp]/ensure: created
Notice: Finished catalog run in 10.63 seconds

[root@blingall-72-2 firewalld]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: 
  ports: 5555/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept
        rule family="ipv4" source address="10.50.55.0/23" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="rpc-bind" accept
        rule family="ipv4" source address="192.168.0.0/16" service name="ssh" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="ssh" accept

[root@blingall-72-2 firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <rule family="ipv4">
    <source address="10.0.0.0/8"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="0.0.0.0/0"/>
    <port protocol="tcp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <port protocol="tcp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <port protocol="udp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="0.0.0.0/0"/>
    <port protocol="udp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.55.0/23"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <service name="rpc-bind"/>
    <accept/>
  </rule>
</zone>

Once I issue firewall-cmd --reload the firewall rules are applied.

[root@blingall-72-2 firewalld]# cat /etc/redhat-release 
Red Hat Enterprise Linux Workstation release 7.2 (Maipo)

from puppet-firewalld.

crayfishx avatar crayfishx commented on September 27, 2024

@BrandonIngalls are you sure you are including the firewall class (include firewalld) or are you just defining firewalld_zone resources from the profile without the base class included? If firewalld is included it should farm out to the exec to reload the firewall upon change....

from puppet-firewalld.

crayfishx avatar crayfishx commented on September 27, 2024

We do have a problem here, we used to do collector syntax chaining to notify the exec to reload firewalld but now that notify is only valid for resources declared from the class (eg from hiera). The short term solution is to make sure you notify Exec['firewalld::reload'] from the resource declaration. I think the best long term fix is to use the autonotify feature in the firewalld_service type (this I can test tomorrow), that would only be valid for puppet 4.0+ though

from puppet-firewalld.

crayfishx avatar crayfishx commented on September 27, 2024

@BrandonIngalls does #70 solve this issue for you?

from puppet-firewalld.

crayfishx avatar crayfishx commented on September 27, 2024

I've changed the topic of this issue to reflect the latest discussion, since the older posts were slightly different and fixed in 2.2

from puppet-firewalld.

BrandonIngalls avatar BrandonIngalls commented on September 27, 2024

@crayfishx PR #70 does resolve this issue for me.

[root@puppet-firewalld-test firewalld-test]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@puppet-firewalld-test firewalld-test]# puppet apply test1.pp                                      
Notice: Compiled catalog for puppet-firewalld-test.local in environment production in 0.91 seconds
Notice: /Stage[main]/Main/Firewalld_rich_rule[Allow IT Access to ALL]/ensure: created
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 2.55 seconds

[root@puppet-firewalld-test firewalld-test]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.50.55.0/24" accept

from puppet-firewalld.

crayfishx avatar crayfishx commented on September 27, 2024

Released in 3.1.0

from puppet-firewalld.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.