sjsadowski / firewalld-cookbook Goto Github PK
View Code? Open in Web Editor NEWChef recipe to manage Linux firewalld ports
Home Page: https://supermarket.chef.io/cookbooks/firewalld
License: Apache License 2.0
Chef recipe to manage Linux firewalld ports
Home Page: https://supermarket.chef.io/cookbooks/firewalld
License: Apache License 2.0
As a firewalld user
I want to be able to manage zones
for complex setups and multiple interfaces
eg two ethernet devices - I want to manage the devices that are in the zone "public" and "internal" and/or create a new custom zone.
keepalive and haproxy needs 'vrrp' protocol as per: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/load_balancer_administration/s1-lvs-connect-vsa.
The command is:
firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept'
This is not a capability of firewalld cookbook.
We added the following rule in a cookbook using the firewalld_rich_rule resource:
firewalld_rich_rule 'ssh' do
zone 'public'
family 'ipv4'
source_address '10.0.0.0/16'
service_name 'ssh'
firewall_action "accept"
action :add
end
However when running the above via chef-client we are getting the following error:
STDERR: Error: INVALID_RULE: more than one element. There cannot be both 'protocol' and 'service name="ssh"' in one rule.
Error: INVALID_RULE: more than one element. There cannot be both 'protocol' and 'service name="ssh"' in one rule.
---- End output of firewall-cmd --zone=public --add-rich-rule="rule family='ipv4' source address='10.0.0.0/16' service name='ssh' protocol value='tcp' accept"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' source address='10.0.0.0/16' service name='ssh' protocol value='tcp' accept"
I did notice that a default is set here --> https://github.com/sjsadowski/firewalld-cookbook/blob/master/resources/rich_rule.rb
which I think is the cause. However not sure if this default is set here to prevent other issues. I suspect it is there to allow a default for when port_number is used however not intended to conflict in this way. So I guess if this is the cause that a method needs to be In place to take a default only if port_number is used.
The limit directive in firewalld can either be used to limit logging - or - to limit matches.
The default in resources/rich_rule.rb disables logging, but enables the limit.
This results in rules like:
-A IN_admin_allow -p tcp -m tcp --dport 5666 -m conntrack --ctstate NEW -m limit --limit 1/min -j ACCEPT
Not quite what I was expecting.
At least Ubuntu 14.04+ has a firewalld package. It would be nice to use FirewallD as a new industry standard on as many distros as possible.
FirewallD packages in official distros:
Debian:
Ubuntu:
I'm trying to get an AMI with a recent chef converge to re-converge from an autoscale group with a user-data script. I've been able to converge an instance already running without incident. I'm getting an indefinite timeout when I run the converge from the user-data script. This is what's logged:
[2015-04-23T17:20:47+00:00] INFO: Processing firewalld_port[8300/tcp] action add (discogs-base::default line 65)
[2015-04-23T17:20:47+00:00] INFO: Processing execute[add port 8300/tcp to zone] action run (/var/chef/cache/cookbooks/firewalld/providers/port.rb line 8)
[2015-04-23T17:20:47+00:00] INFO: Processing execute[Guard resource] action run (dynamically defined)
I tried adding a "sleep 60" prior to the converge, but it doesn't help.
Hi,
could you please tag releases on supermarket also on github? It's a bit hard to debug without…
Thanks!
All in all this is a great cookbook and well documented, and has eased my firewall rollout on RHEL7. However I have some boxes that subscribe to multicasts which can be configured manually like this:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m state --state NEW -m udp -p udp -m pkttype --pkt-type multicast -d 229.1.0.10 -s 10.1.100.25 -j ACCEPT
However there doesn't seem to be any way that I can see to accomplish this with this cookbook. Is this something that can be added in a future version? I'd try it myself but I am not very strong with LWRPs yet.
I get a timeout error in AWS in the initial chef-client run while building a new server. Any ideas ?
While chef-client was waiting to run the command, I was able to run it manually
[root@ip-10-42-110-240 centos]# firewall-cmd --permanent --query-service=http
no
[root@ip-10-42-110-240 centos]# firewall-cmd --permanent --add-service=http
success
[root@ip-10-42-110-240 centos]# firewall-cmd --permanent --query-service=http
yes
Here is the log.
Log:
[2015-04-03T17:36:58+00:00] INFO: Processing package[firewalld] action install (firewalld::default line 7)
[2015-04-03T17:36:59+00:00] INFO: package[firewalld] installing firewalld-0.3.9-11.el7 from base repository
[2015-04-03T17:37:16+00:00] INFO: Processing service[firewalld] action enable (firewalld::default line 9)
[2015-04-03T17:37:16+00:00] INFO: Processing service[firewalld] action start (firewalld::default line 9)
[2015-04-03T17:37:16+00:00] INFO: service[firewalld] started
[2015-04-03T17:37:16+00:00] INFO: Processing firewalld_port[8000/tcp] action add (app-ca-ppp::app line 12)
**[2015-04-03T17:37:16+00:00] INFO: Processing execute[add port 8000/tcp to zone] action run (/var/chef/cache/cookbooks/firewalld/providers/port.rb line 8)**
�[0m
================================================================================�[0m
�[31mError executing action `run` on resource 'execute[add port 8000/tcp to zone]'�[0m
================================================================================�[0m
�[0mMixlib::ShellOut::CommandTimeout�[0m
--------------------------------�[0m
Command timed out after 600s:
�[0mCommand exceeded allowed execution time, process terminated
�[0m---- Begin output of firewall-cmd --permanent --query-port=8000/tcp ----
�[0mSTDOUT:
�[0mSTDERR: ERROR:dbus.proxies:Introspect error on :1.7:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
�[0m---- End output of firewall-cmd --permanent --query-port=8000/tcp ----
�[0mRan firewall-cmd --permanent --query-port=8000/tcp returned �[0m
�[0mResource Declaration:�[0m
---------------------�[0m
# In /var/chef/cache/cookbooks/firewalld/providers/port.rb
�[0m
�[0m 8: e = execute "add port #{new_resource.port} to zone" do
�[0m 9: not_if "firewall-cmd --permanent #{zone} --query-port=#{new_resource.port}"
�[0m 10: command(<<-EOC)
�[0m 11: firewall-cmd #{zone} --add-port=#{new_resource.port}
�[0m 12: firewall-cmd --permanent #{zone} --add-port=#{new_resource.port}
�[0m 13: EOC
�[0m 14: end
�[0m 15: new_resource.updated_by_last_action(e.updated_by_last_action?)
�[0m
�[0mCompiled Resource:�[0m
------------------�[0m
# Declared in /var/chef/cache/cookbooks/firewalld/providers/port.rb:8:in `block in class_from_file'
�[0m
�[0mexecute("add port 8000/tcp to zone") do
�[0m action "run"
�[0m retries 0
�[0m retry_delay 2
�[0m guard_interpreter :default
�[0m command " firewall-cmd --add-port=8000/tcp\n firewall-cmd --permanent --add-port=8000/tcp\n"
�[0m backup 5
�[0m returns 0
�[0m cookbook_name "app-ca-ppp"
�[0m not_if "firewall-cmd --permanent --query-port=8000/tcp"
�[0mend
�[0m
�[0m[2015-04-03T17:47:27+00:00] INFO: Running queued delayed notifications before re-raising exception
✗ interface eth0 was added to permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 5)
`[ "$status" -eq 0 ]' failed✓ interface eth0 was added to runtime config
✓ interface eth1 was removed from permanent config
✓ interface eth1 was removed from runtime config
✗ interface eth2 was not removed from permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 25)
`[ "$status" -eq 0 ]' failed✗ interface eth2 was not removed from runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 30)
`[ "$status" -eq 0 ]' failed✓ port 993/tcp was added to permanent config
✓ port 993/tcp was added to runtime config
✓ port 1001/tcp was removed from runtime config
✓ port 1001/tcp was removed from permanent config
✓ port 1002/tcp was not removed from runtime config
✓ port 1002/tcp was not removed from permanent config
✓ service http was added to permanent config
✓ service http was added to runtime config
✓ service telnet was removed from runtime config
✓ service telnet was removed from permanent config
✗ source 192.168.0.0/24 was added to permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 85)
`[ "$status" -eq 0 ]' failed✗ source 192.168.0.0/24 was added to runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 90)
`[ "$status" -eq 0 ]' failed✓ source 192.168.1.0/24 was removed from permanent config
✓ source 192.168.1.0/24 was removed from runtime config
✗ source 192.168.2.0/24 was not removed from permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 105)
`[ "$status" -eq 0 ]' failed✗ source 192.168.2.0/24 was not removed from runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 110)
`[ "$status" -eq 0 ]' failed✗ zone zone1 was added to permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 115)
`[ "$status" -eq 0 ]' failed✗ zone zone1 was added to runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 120)
`[ "$status" -eq 0 ]' failed✓ zone zone2 was removed from permanent config
✓ zone zone2 was removed from runtime config
✗ zone zone3 was not removed from permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 135)
`[ "$status" -eq 0 ]' failed✗ zone zone3 was not removed from runtime config
(in test file /tmp/verifier/suites/bats/default.bats, line 140)
`[ "$status" -eq 0 ]' failed✓ masquerade was added to public zone for runtime config
✓ masquerade was added to public zone for permanent config
✓ masquerade was removed from public zone for runtime config
✓ masquerade was removed from public zone for permanent config
✗ port 443 was added as a forward port
(in test file /tmp/verifier/suites/bats/default.bats, line 165)
`[ "$status" -eq 0 ]' failed✗ port 443 was added as a forward port for permanent config
(in test file /tmp/verifier/suites/bats/default.bats, line 170)
`[ "$status" -eq 0 ]' failed
This is my previous code and I want to modify it using firewalld
. We used firewalld
because we are using centos 7.2
.
%w(all_established all_icmp prefix postfix).each do |rule|
iptables_rule "#{rule}" do
action :enable
end
end
How can I implement it again using firewalld
?
On a CentOS7 system w/SELinux enabled, where chef is invoked via cloud-init, commands such as firewall-cmd --zone=public --add-port=80/tcp
hang and are being denied by SELinux with:
type=USER_AVC msg=audit(1439827431.885:704): pid=563 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.14 spid=553 tpid=3047 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Adding a selinux policy of the following allows bootstrapping to complete:
module firewalld-dbus 1.0;
require {
type firewalld_var_run_t;
type cloud_init_t;
type firewalld_t;
type root_t;
class dbus send_msg;
}
allow firewalld_t cloud_init_t:dbus send_msg;
Error appeared when using the port forward resource. It looks like there's an extraneous double quote in the provider forward.rb
================================================================================
Error executing action `add` on resource 'firewalld_forward[514_to_5514]'
================================================================================
Mixlib::ShellOut::ShellCommandFailed
------------------------------------
execute[add forward port 514:udp => 5514 ] (/tmp/kitchen/cache/cookbooks/firewalld/providers/forward.rb line 10) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '106'
---- Begin output of firewall-cmd --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
----
STDOUT:
STDERR: Error: INVALID_FORWARD: invalid forward port arg 'toport=5514
firewall-cmd --permanent --zone=public --add-forward-port=port=514'
---- End output of firewall-cmd --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
----
Ran firewall-cmd --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=udp:toport=5514"
returned 106
Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/logstash/recipes/default.rb
20: firewalld_forward '514_to_5514' do
21: port 514
22: to_port 5514
23: protocol :udp
24: zone 'public'
25: end
Compiled Resource:
------------------
# Declared in /tmp/kitchen/cache/cookbooks/logstash/recipes/default.rb:20:in `from_file'
firewalld_forward("514_to_5514") do
action [:add]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :firewalld_forward
cookbook_name "logstash"
recipe_name "default"
port 514
to_port 5514
protocol :udp
zone "public"
end
https://github.com/sjsadowski/firewalld-cookbook/blob/v1.2.0/providers/rich_rule.rb#L42
================================================================================
Recipe Compile Error in /var/chef/cache/cookbooks/firewalld/providers/rich_rule.rb
================================================================================
SyntaxError
-----------
/var/chef/cache/cookbooks/firewalld/providers/rich_rule.rb:42: syntax error, unexpected tIDENTIFIER, expecting '('
...rt_protocol && not new_resource.port_number
... ^
System Info:
------------
chef_version=12.22.5
platform=oracle
platform_version=7.7
ruby=ruby 2.3.6p384 (2017-12-14 revision 61254) [x86_64-linux]
program_name=chef-client worker: ppid=24379;start=17:26:04;
executable=/opt/chef/bin/chef-client
I can deploy with 1.1.5 just fine. But, 1.2.0, which was created 4 hours ago causes issues.
It'd be nice if this cookbook supported the --add-forward-port
function of firewall-cmd
. It looks like it could be implemented in much the same way as the existing options are using --add-forward-port
to make the change and --list-forward-ports
to check for the change.
It would be nice if this cookbook could create and manage custom service definitions in /etc/firewalld/services
via an LWRP.
It looks like it should be a matter of rendering a template and notifying firewalld to reload.
I see references to resources around firewall-cmd but I don't see any attributes for interface. How could I replicate this command using this cookbook:
firewall-cmd --permanent --zone=trusted --change-interface=docker0
@rigrassm there are a slew of pull requests to fix bugs right now, and some outstanding issues.
If noone is bothering to curate this, would you mind turning it over to someone who will? I'm volunteering as I have a vested interest in this for my environment.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.