sjsadowski / firewalld-cookbook Goto Github PK

View Code? Open in Web Editor NEW

21.0 2.0 27.0 86 KB

Chef recipe to manage Linux firewalld ports

Home Page: https://supermarket.chef.io/cookbooks/firewalld

License: Apache License 2.0

Ruby 80.15% Shell 19.85%

firewalld-cookbook's People

Stargazers

Watchers

firewalld-cookbook's Issues

Feature: Zone management

As a firewalld user
I want to be able to manage zones
for complex setups and multiple interfaces

eg two ethernet devices - I want to manage the devices that are in the zone "public" and "internal" and/or create a new custom zone.

Allow rich rules for non-tcp protocols

keepalive and haproxy needs 'vrrp' protocol as per: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/load_balancer_administration/s1-lvs-connect-vsa.

The command is:
firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept'

This is not a capability of firewalld cookbook.

firewalld_rich_rule added protocol when using service_name, Causes error

We added the following rule in a cookbook using the firewalld_rich_rule resource:

firewalld_rich_rule 'ssh' do
  zone 'public'
  family 'ipv4'
  source_address '10.0.0.0/16'
  service_name 'ssh'
  firewall_action "accept"
  action :add
end

However when running the above via chef-client we are getting the following error:

STDERR: Error: INVALID_RULE: more than one element. There cannot be both 'protocol' and 'service name="ssh"' in one rule.
Error: INVALID_RULE: more than one element. There cannot be both 'protocol' and 'service name="ssh"' in one rule.
---- End output of     firewall-cmd --zone=public --add-rich-rule="rule family='ipv4' source address='10.0.0.0/16' service name='ssh' protocol value='tcp' accept"
    firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' source address='10.0.0.0/16' service name='ssh' protocol value='tcp' accept"

I did notice that a default is set here --> https://github.com/sjsadowski/firewalld-cookbook/blob/master/resources/rich_rule.rb

which I think is the cause. However not sure if this default is set here to prevent other issues. I suspect it is there to allow a default for when port_number is used however not intended to conflict in this way. So I guess if this is the cause that a method needs to be In place to take a default only if port_number is used.

The limit description is deceptive

The limit directive in firewalld can either be used to limit logging - or - to limit matches.
The default in resources/rich_rule.rb disables logging, but enables the limit.
This results in rules like:

-A IN_admin_allow -p tcp -m tcp --dport 5666 -m conntrack --ctstate NEW -m limit --limit 1/min -j ACCEPT

Not quite what I was expecting.

Support for Debian & Ubuntu

At least Ubuntu 14.04+ has a firewalld package. It would be nice to use FirewallD as a new industry standard on as many distros as possible.

FirewallD packages in official distros:

Debian:

Jessie (8.0) 0.3.12

Ubuntu:

trusty (14.04LTS) 0.3.7
utopic (14.10) 0.3.10
vivid (15.05) 0.3.12

Time out on Guard resource when launched from autoscale group in AWS on centos 7

I'm trying to get an AMI with a recent chef converge to re-converge from an autoscale group with a user-data script. I've been able to converge an instance already running without incident. I'm getting an indefinite timeout when I run the converge from the user-data script. This is what's logged:

[2015-04-23T17:20:47+00:00] INFO: Processing firewalld_port[8300/tcp] action add (discogs-base::default line 65)
[2015-04-23T17:20:47+00:00] INFO: Processing execute[add port 8300/tcp to zone] action run (/var/chef/cache/cookbooks/firewalld/providers/port.rb line 8)
[2015-04-23T17:20:47+00:00] INFO: Processing execute[Guard resource] action run (dynamically defined)

I tried adding a "sleep 60" prior to the converge, but it doesn't help.

tag releases

Hi,

could you please tag releases on supermarket also on github? It's a bit hard to debug without…

Thanks!

Add support for pkt-type extensions (broadcast,unicat/multicast)

All in all this is a great cookbook and well documented, and has eased my firewall rollout on RHEL7. However I have some boxes that subscribe to multicasts which can be configured manually like this:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m state --state NEW -m udp -p udp -m pkttype --pkt-type multicast -d 229.1.0.10 -s 10.1.100.25 -j ACCEPT

However there doesn't seem to be any way that I can see to accomplish this with this cookbook. Is this something that can be added in a future version? I'd try it myself but I am not very strong with LWRPs yet.

Timeout error during initial chef-client run in AWS Centos 7 image

I get a timeout error in AWS in the initial chef-client run while building a new server. Any ideas ?

While chef-client was waiting to run the command, I was able to run it manually

[root@ip-10-42-110-240 centos]# firewall-cmd --permanent  --query-service=http
no
[root@ip-10-42-110-240 centos]# firewall-cmd --permanent  --add-service=http
success
[root@ip-10-42-110-240 centos]# firewall-cmd --permanent  --query-service=http
yes

Here is the log.

Log:

[2015-04-03T17:36:58+00:00] INFO: Processing package[firewalld] action install (firewalld::default line 7)
[2015-04-03T17:36:59+00:00] INFO: package[firewalld] installing firewalld-0.3.9-11.el7 from base repository
[2015-04-03T17:37:16+00:00] INFO: Processing service[firewalld] action enable (firewalld::default line 9)
[2015-04-03T17:37:16+00:00] INFO: Processing service[firewalld] action start (firewalld::default line 9)
[2015-04-03T17:37:16+00:00] INFO: service[firewalld] started
[2015-04-03T17:37:16+00:00] INFO: Processing firewalld_port[8000/tcp] action add (app-ca-ppp::app line 12)
**[2015-04-03T17:37:16+00:00] INFO: Processing execute[add port 8000/tcp to zone] action run (/var/chef/cache/cookbooks/firewalld/providers/port.rb line 8)**
�[0m
================================================================================�[0m
�[31mError executing action `run` on resource 'execute[add port 8000/tcp to zone]'�[0m
================================================================================�[0m

�[0mMixlib::ShellOut::CommandTimeout�[0m
--------------------------------�[0m
Command timed out after 600s:
�[0mCommand exceeded allowed execution time, process terminated
�[0m---- Begin output of firewall-cmd --permanent  --query-port=8000/tcp ----
�[0mSTDOUT: 
�[0mSTDERR: ERROR:dbus.proxies:Introspect error on :1.7:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
�[0m---- End output of firewall-cmd --permanent  --query-port=8000/tcp ----
�[0mRan firewall-cmd --permanent  --query-port=8000/tcp returned �[0m

�[0mResource Declaration:�[0m
---------------------�[0m
# In /var/chef/cache/cookbooks/firewalld/providers/port.rb
�[0m
�[0m  8:   e = execute "add port #{new_resource.port} to zone" do
�[0m  9:     not_if "firewall-cmd --permanent #{zone} --query-port=#{new_resource.port}"
�[0m 10:     command(<<-EOC)
�[0m 11:       firewall-cmd #{zone} --add-port=#{new_resource.port}
�[0m 12:       firewall-cmd --permanent #{zone} --add-port=#{new_resource.port}
�[0m 13:     EOC
�[0m 14:   end
�[0m 15:   new_resource.updated_by_last_action(e.updated_by_last_action?)
�[0m
�[0mCompiled Resource:�[0m
------------------�[0m
# Declared in /var/chef/cache/cookbooks/firewalld/providers/port.rb:8:in `block in class_from_file'
�[0m
�[0mexecute("add port 8000/tcp to zone") do
�[0m  action "run"
�[0m  retries 0
�[0m  retry_delay 2
�[0m  guard_interpreter :default
�[0m  command "      firewall-cmd  --add-port=8000/tcp\n      firewall-cmd --permanent  --add-port=8000/tcp\n"
�[0m  backup 5
�[0m  returns 0
�[0m  cookbook_name "app-ca-ppp"
�[0m  not_if "firewall-cmd --permanent  --query-port=8000/tcp"
�[0mend
�[0m
�[0m[2015-04-03T17:47:27+00:00] INFO: Running queued delayed notifications before re-raising exception

multiple bats tests fail

✗ interface eth0 was added to permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 5)
`[ "$status" -eq 0 ]' failed

✓ interface eth0 was added to runtime config
✓ interface eth1 was removed from permanent config
✓ interface eth1 was removed from runtime config
✗ interface eth2 was not removed from permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 25)
`[ "$status" -eq 0 ]' failed

✗ interface eth2 was not removed from runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 30)
`[ "$status" -eq 0 ]' failed

✓ port 993/tcp was added to permanent config
✓ port 993/tcp was added to runtime config
✓ port 1001/tcp was removed from runtime config
✓ port 1001/tcp was removed from permanent config
✓ port 1002/tcp was not removed from runtime config
✓ port 1002/tcp was not removed from permanent config
✓ service http was added to permanent config
✓ service http was added to runtime config
✓ service telnet was removed from runtime config
✓ service telnet was removed from permanent config
✗ source 192.168.0.0/24 was added to permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 85)
`[ "$status" -eq 0 ]' failed

✗ source 192.168.0.0/24 was added to runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 90)
`[ "$status" -eq 0 ]' failed

✓ source 192.168.1.0/24 was removed from permanent config
✓ source 192.168.1.0/24 was removed from runtime config
✗ source 192.168.2.0/24 was not removed from permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 105)
`[ "$status" -eq 0 ]' failed

✗ source 192.168.2.0/24 was not removed from runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 110)
`[ "$status" -eq 0 ]' failed

✗ zone zone1 was added to permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 115)
`[ "$status" -eq 0 ]' failed

✗ zone zone1 was added to runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 120)
`[ "$status" -eq 0 ]' failed

✓ zone zone2 was removed from permanent config
✓ zone zone2 was removed from runtime config
✗ zone zone3 was not removed from permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 135)
`[ "$status" -eq 0 ]' failed

✗ zone zone3 was not removed from runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 140)
`[ "$status" -eq 0 ]' failed

✓ masquerade was added to public zone for runtime config
✓ masquerade was added to public zone for permanent config
✓ masquerade was removed from public zone for runtime config
✓ masquerade was removed from public zone for permanent config
✗ port 443 was added as a forward port
(in test file /tmp/verifier/suites/bats/default.bats, line 165)
`[ "$status" -eq 0 ]' failed

✗ port 443 was added as a forward port for permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 170)
`[ "$status" -eq 0 ]' failed

Adding iptable rules using firewalld_rich_rule

This is my previous code and I want to modify it using firewalld. We used firewalld because we are using centos 7.2.

%w(all_established all_icmp prefix postfix).each do |rule|
    iptables_rule "#{rule}" do
        action :enable
    end
end

How can I implement it again using firewalld?

firewall-cmd hang on CentOS 7 w/SELinux

On a CentOS7 system w/SELinux enabled, where chef is invoked via cloud-init, commands such as firewall-cmd --zone=public --add-port=80/tcp hang and are being denied by SELinux with:

type=USER_AVC msg=audit(1439827431.885:704): pid=563 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=553 tpid=3047 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Adding a selinux policy of the following allows bootstrapping to complete:

module firewalld-dbus 1.0;

require {
  type firewalld_var_run_t;
  type cloud_init_t;
  type firewalld_t;
  type root_t;
  class dbus send_msg;
}

allow firewalld_t cloud_init_t:dbus send_msg;

Errors when using the port forward resource

Error appeared when using the port forward resource. It looks like there's an extraneous double quote in the provider forward.rb

           ================================================================================
           Error executing action `add` on resource 'firewalld_forward[514_to_5514]'
           ================================================================================

           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           execute[add forward port 514:udp => 5514 ] (/tmp/kitchen/cache/cookbooks/firewalld/providers/forward.rb line 10) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '106'
           ---- Begin output of         firewall-cmd --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
            firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
            ----
           STDOUT:
           STDERR: Error: INVALID_FORWARD: invalid forward port arg 'toport=5514
            firewall-cmd --permanent --zone=public --add-forward-port=port=514'
           ---- End output of         firewall-cmd --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
            firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
            ----
           Ran         firewall-cmd --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
            firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
            returned 106

           Resource Declaration:
           ---------------------
           # In /tmp/kitchen/cache/cookbooks/logstash/recipes/default.rb

            20: firewalld_forward '514_to_5514' do
            21:   port 514
            22:   to_port 5514
            23:   protocol :udp
            24:   zone 'public'
            25: end

           Compiled Resource:
           ------------------
           # Declared in /tmp/kitchen/cache/cookbooks/logstash/recipes/default.rb:20:in `from_file'

           firewalld_forward("514_to_5514") do
             action [:add]
             retries 0
             retry_delay 2
             default_guard_interpreter :default
             declared_type :firewalld_forward
             cookbook_name "logstash"
             recipe_name "default"
             port 514
             to_port 5514
             protocol :udp
             zone "public"
           end

1.2.0 tag is failing to compile for Chef 12

v1.1.5...v1.2.0

https://github.com/sjsadowski/firewalld-cookbook/blob/v1.2.0/providers/rich_rule.rb#L42

================================================================================
Recipe Compile Error in /var/chef/cache/cookbooks/firewalld/providers/rich_rule.rb
================================================================================

SyntaxError
-----------
/var/chef/cache/cookbooks/firewalld/providers/rich_rule.rb:42: syntax error, unexpected tIDENTIFIER, expecting '('
...rt_protocol && not new_resource.port_number
...                               ^

System Info:
------------
chef_version=12.22.5
platform=oracle
platform_version=7.7
ruby=ruby 2.3.6p384 (2017-12-14 revision 61254) [x86_64-linux]
program_name=chef-client worker: ppid=24379;start=17:26:04;
executable=/opt/chef/bin/chef-client

I can deploy with 1.1.5 just fine. But, 1.2.0, which was created 4 hours ago causes issues.

Feature request : Add support for --add-forward-port

It'd be nice if this cookbook supported the --add-forward-port function of firewall-cmd. It looks like it could be implemented in much the same way as the existing options are using --add-forward-port to make the change and --list-forward-ports to check for the change.

sjsadowski / firewalld-cookbook Goto Github PK

firewalld-cookbook's People

Stargazers

Watchers

Forkers

firewalld-cookbook's Issues

Recommend Projects

Recommend Topics

Recommend Org