firewalld in the way of CF3 (Fedora 20)

70 views
Skip to first unread message

David Ramirez

unread,
Jul 24, 2014, 5:09:57 PM7/24/14
to help-c...@googlegroups.com
Newly deployed Fedora 20 systems use now firewalld - this seems to work, except that the CF3 policy hub is unable to reach its clients.

On each client, I have a service definition such as:

 root@myhost:/etc/firewalld/services/# cat cfengine3.xml
<?xml version="1.0" encoding="utf-8"?>
<service version="1.0">
  <short>CFEngine3</short>
  <description>CFEngine 3</description>
  <port protocol="tcp" port="5308"/>
  <destination ipv4="<my policy hub IP"/>
</service>

Such service is in turn declared into the "work" zone file.
cat work.xml
<zone>
  <short>Work</short>
  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="bru"/>
  <service name="cfengine3"/>
  <service name="ipp"/>
  <service name="ipp-client"/>
  <service name="mdns"/>
  <service name="mountd"/>
  <service name="nfs"/>
  <service name="rpc-bind"/>
  <service name="samba-client"/>
  <service name="ssh"/>
</zone>

From the CF3 policy hub, nmap reports the 5308/tcp as "filtered", such as in:

[root@policyhub ~]$ nmap -p 5308 myhost
Starting Nmap 5.51 ( http://nmap.org ) at 2014-07-24 15:49 CDT
Nmap scan report for myhost (XXX.XXX.XXX.XXX)
Host is up (0.00043s latency).
rDNS record for XXX.XXX.XXX.XXX: myhost.mydomain.com
PORT     STATE    SERVICE
5308/tcp filtered cfengine
MAC Address: B8:AC:6F:31:XX:XX (Dell)

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Is there any misconception in my approach ? How do I get CF3 traffic thru ? As of my understanding, there is no syntax component such as <source ipv4=xxx.xxx.xxx.yyy /> and that seems to be missing... So my access attempts fail always and therefore CF3 fails to run... Only fully stopping firewalld will CF3 work.

Thanks

Volker Hilsheimer

unread,
Jul 25, 2014, 4:45:49 AM7/25/14
to help-c...@googlegroups.com
Hi David,

Not familiar with, firewalld, but just to be clear: the policy hub will not try to reach the bootstrapped hosts; connections are from hosts to policy hub, not the other way around (unless you have policy that makes the server download files from clients). Clients pull down policy, so your firewall needs to allow the clients to connect to the server.

If you are running CFEngine Enterprise, where downloading of reports from the clients to the Enterprise Server by default requires connectivity in both ways, you can configure CFEngine to use call collect [1] to piggy-back report delivery onto the incoming connections from clients when they download policy.

Volker

Brian Bennett

unread,
Jul 25, 2014, 8:01:49 AM7/25/14
to David Ramirez, help-c...@googlegroups.com
If firewalld uses the conventional definition of "destination" then you will need to set the destination address to the host's local address, not the IP of the hub.

It looks like firewalld is just a daemon that dynamically creates iptables rules? Can you send the output of `iptables-save` on the hub and on one of the clients?


-- 
Brian Bennett
Looking for CFEngine training?
http://www.verticalsysadmin.com/

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages