Closed
Bug 1367691
Opened 7 years ago
Closed 7 years ago
Adding host based firewall support to puppet
Categories
(Infrastructure & Operations :: RelOps: Puppet, task)
Infrastructure & Operations
RelOps: Puppet
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dragrom, Assigned: dividehex)
References
Details
Attachments
(1 file, 1 obsolete file)
11.02 KB,
patch
|
dhouse
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Updated•7 years ago
|
Assignee: relops → dcrisan
Status: NEW → ASSIGNED
Reporter | ||
Comment 1•7 years ago
|
||
Probably needed to update puppet-labs firewall module. We use 0.3.1 now: https://github.com/puppetlabs/puppetlabs-firewall/blob/master/CHANGELOG.md
Reporter | ||
Comment 2•7 years ago
|
||
[root@moonshot-test3 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere /* 000 accept related and established flows */ state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere /* 001 all icmp */ ACCEPT all -- anywhere anywhere /* 002 local traffic */ ACCEPT tcp -- anywhere anywhere multiport dports nrpe /* 010 nrpe for monitoring */ ACCEPT tcp -- anywhere anywhere multiport dports ssh /* 010 ssh for management */ DROP all -- anywhere anywhere /* 999 drop all */ Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Attachment #8872625 -
Flags: review?(jwatkins)
Reporter | ||
Comment 3•7 years ago
|
||
I applied your firewall patch on my puppet environment, to test my changes
Assignee | ||
Comment 4•7 years ago
|
||
Comment on attachment 8872625 [details] [diff] [review] Bug_1367691_Adding_host_based_firewall_support.patch Review of attachment 8872625 [details] [diff] [review]: ----------------------------------------------------------------- ::: modules/toplevel/manifests/worker.pp @@ +23,5 @@ > + include firewall > + > + # firewall rules > + # Add basic firewall rules on workers hosts > + include fw We should not be enabling the fw across the workers (except where is already in place) just yet. It still needs to support for defining source addresses and should also support osx, which is being handled in 1367938. 'include firewall' shouldn't be need. I suspect the issue we are seeing with the missing packages on 16.04 is simply because the firewall module was out of date and didn't handle the later version packages that had been renamed.
Attachment #8872625 -
Flags: review?(jwatkins) → review-
Assignee | ||
Comment 5•7 years ago
|
||
This is a roll up of several fixes to the fw/iptables/pf puppet modules. It does *NOT* enable the firewall anywhere just yet and should have not impact on hosts which are currently using fw/iptables (eg. linux signing). This is all in preparation to rolling out default allow w/ssh/vnc/rdp logging first. Below is a summarized list of this patch: * Adds a firewall logging functionality to the fw wrapper * PF logging daemon * Fixes pf starting on boot * Fixes puppet enable_pf exec to be idempotent * Adds a few more firewall roles w/logging enabled
Assignee: dcrisan → jwatkins
Attachment #8872625 -
Attachment is obsolete: true
Attachment #8892249 -
Flags: review?(dhouse)
Comment on attachment 8892249 [details] [diff] [review] Firewall changes looks good. I see this adds 1. a parameter to switch from default-deny to default-allow 2. a parameter to turn on logging 3. roles "*_logging" for the standard apps, including vnc, that have logging turned on 4. a pflog.sh script, and plugs it in, so that pf can log the same as ipchain and does not add or turn the firewall for any nodes yet
Attachment #8892249 -
Flags: review?(dhouse) → review+
Assignee | ||
Comment 7•7 years ago
|
||
Host based firewalls for linux and OSX are now supported by firewall modules in releng puppet. Calling this r/f
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•