Puppetlabs-firewall and Logging
387 views
Skip to first unread message
Jim Miller
Dec 11, 2013, 10:24:14 PM12/11/13
to puppet...@googlegroups.com
We're testing out the Puppetlabs-Firewall module. And it seems I'm either missing something fundamental or Logging/Accpet works/doesn't work in an irregular way. I would be most grateful for some input.
COMMON:
firewall { '002 accept related established rules INPUT': proto => 'all', state => ['RELATED', 'ESTABLISHED'], action => 'accept' }
firewall { '003 accept related established rules OUTPUT': chain => 'OUTPUT', proto => 'all', state => ['RELATED', 'ESTABLISHED'], action => 'accept' }
This works for new inbound SSH connections:
firewall { '007 fwd to ssh_in': chain => 'INPUT', iniface => 'eth0', source => '10.x8.xx1.0/24', proto => 'tcp', state => 'NEW', port => '22', action => 'accept' }
This works for inbound SSH connections:
firewallchain { 'ssh_in:filter:IPv4': ensure => present, }
firewall { '008 fwd to ssh_in': chain => 'INPUT', iniface => 'eth0', source => '10.x8.xx1.0/24', proto => 'tcp', state => 'NEW', port => '22', jump => 'ssh_in' }
firewall { '009 ssh_in': chain => 'ssh_in', jump => 'LOG', log_prefix => 'ssh_in ' }
firewall { '011 ssh_in': chain => 'ssh_in', action => 'accept' }
This works for DNS:
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'udp', port => '53', action => 'accept', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'tcp', state => 'NEW', port => '53', action => 'accept', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x6', proto => 'udp', port => '53', action => 'accept', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x6', proto => 'tcp', state => 'NEW', port => '53', action => 'accept', }
This does NOT work for DNS:
firewallchain { 'dns_out:filter:IPv4': ensure => present, }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'udp', port => '53', jump => 'dns_out', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'tcp', state => 'NEW', port => '53', jump => 'dns_out', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x6', proto => 'udp', port => '53', jump => 'dns_out', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x6', proto => 'tcp', state => 'NEW', port => '53', jump => 'dns_out', }
firewall { '024 dns_out': chain => 'dns_out', jump => 'LOG', log_prefix => 'dns_out', }
firewall { '025 dns_out': chain => 'dns_out', action => 'accept', }
None of the above rules generates any errors.
My understanding of reading the doc is the default policy is 'accept' when not specified (not sure about custom chains). When I try to connect to the server, I don't see logs being generated.
Thanks,
Jim
COMMON:
firewall { '002 accept related established rules INPUT': proto => 'all', state => ['RELATED', 'ESTABLISHED'], action => 'accept' }
firewall { '003 accept related established rules OUTPUT': chain => 'OUTPUT', proto => 'all', state => ['RELATED', 'ESTABLISHED'], action => 'accept' }
This works for new inbound SSH connections:
firewall { '007 fwd to ssh_in': chain => 'INPUT', iniface => 'eth0', source => '10.x8.xx1.0/24', proto => 'tcp', state => 'NEW', port => '22', action => 'accept' }
This works for inbound SSH connections:
firewallchain { 'ssh_in:filter:IPv4': ensure => present, }
firewall { '008 fwd to ssh_in': chain => 'INPUT', iniface => 'eth0', source => '10.x8.xx1.0/24', proto => 'tcp', state => 'NEW', port => '22', jump => 'ssh_in' }
firewall { '009 ssh_in': chain => 'ssh_in', jump => 'LOG', log_prefix => 'ssh_in ' }
firewall { '011 ssh_in': chain => 'ssh_in', action => 'accept' }
This works for DNS:
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'udp', port => '53', action => 'accept', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'tcp', state => 'NEW', port => '53', action => 'accept', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x6', proto => 'udp', port => '53', action => 'accept', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x6', proto => 'tcp', state => 'NEW', port => '53', action => 'accept', }
This does NOT work for DNS:
firewallchain { 'dns_out:filter:IPv4': ensure => present, }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'udp', port => '53', jump => 'dns_out', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'tcp', state => 'NEW', port => '53', jump => 'dns_out', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x6', proto => 'udp', port => '53', jump => 'dns_out', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x6', proto => 'tcp', state => 'NEW', port => '53', jump => 'dns_out', }
firewall { '024 dns_out': chain => 'dns_out', jump => 'LOG', log_prefix => 'dns_out', }
firewall { '025 dns_out': chain => 'dns_out', action => 'accept', }
None of the above rules generates any errors.
My understanding of reading the doc is the default policy is 'accept' when not specified (not sure about custom chains). When I try to connect to the server, I don't see logs being generated.
Thanks,
Jim
Jeff Bachtel
Dec 11, 2013, 11:02:08 PM12/11/13
to puppet...@googlegroups.com
Are you seeing the not-working rules generate iptables rules (verify
with iptables-save after applying manifest)?
Also, it's been a while since I dug into the ruby that generates the rules, you should probably use the before operator -> between rules to enforce ordering, like
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'udp', port => '53', action => 'accept', } ->
Also, it's been a while since I dug into the ruby that generates the rules, you should probably use the before operator -> between rules to enforce ordering, like
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'udp', port => '53', action => 'accept', } ->
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'tcp', state => 'NEW', port => '53', action => 'accept', }
Jeff
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e12d97d9-2e43-482c-aa22-7bccaf6de17d%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Jim Miller
Dec 13, 2013, 7:15:25 PM12/13/13
to puppet...@googlegroups.com
These rules are being applied in the pre.pp so they run first. Since we're just testing this out the only rules we have are in pre.pp and post.pp. In pre.pp the rules are SSH and DNS, and post.pp drop everything else.
I'm wondering how much traction this module has since it seems log and drop is not supported. Again, I ask if anyone can generically share some working rules for tcp/udp. Or if this isn't the module to use which one is?
Thanks all,
I'm wondering how much traction this module has since it seems log and drop is not supported. Again, I ask if anyone can generically share some working rules for tcp/udp. Or if this isn't the module to use which one is?
Thanks all,
Jim Miller
Dec 13, 2013, 7:50:58 PM12/13/13
to puppet...@googlegroups.com
I forgot to add, yes the rules are being generated and outbound DNS logs are being generated.. AND I FOUND THE ISSUE. You have to specify a protocol in ALL chains. Or in the case where you specified it earlier (for LOG and custom chains 'proto => 'any').
with no protocol specified rules default to tcp
--------
-A dns_out -p tcp -m comment --comment "024 dns_out" -j LOG --log-prefix "dns_out"
-A dns_out -p tcp -m comment --comment "025 dns_out" -j ACCEPT
-------
with proto => 'any'
------
-A dns_out -m comment --comment "024 dns_out" -j LOG --log-prefix "dns_out"
-A dns_out -m comment --comment "025 dns_out" -j ACCEPT
-----
I get the desired results.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:dns_out - [0:0]
:ssh_in - [0:0]
-A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT
-A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j ACCEPT
-A INPUT -m comment --comment "002 accept related established rules INPUT" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.xx.xx.0/23 -i eth0 -p tcp -m multiport --ports 22 -m comment --comment "005 fwd to ssh in" -m state --state NEW -j ssh_in
-A INPUT -m comment --comment "998 drop all INPUT" -j DROP
-A OUTPUT -m comment --comment "003 accept related established rules OUTPUT" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.xx.xx.2X/32 -o eth0 -p tcp -m multiport --ports 53 -m comment --comment "015 fwd to dns_out" -m state --state NEW -j dns_out
-A OUTPUT -d 10.xx.X0.2x/32 -p udp -m multiport --ports 53 -m comment --comment "016 fwd to dns_out" -j dns_out
-A OUTPUT -d 10.xx.X.2x/32 -o eth0 -p tcp -m multiport --ports 53 -m comment --comment "018 fwd to dns_out" -m state --state NEW -j dns_out
-A OUTPUT -d 10.xx.X.2x/32 -p udp -m multiport --ports 53 -m comment --comment "026 fwd to dns_out" -j dns_out
-A OUTPUT -m comment --comment "999 drop all OUTPUT" -j DROP
-A dns_out -p tcp -m comment --comment "024 dns_out" -j LOG --log-prefix "dns_out"
-A dns_out -p tcp -m comment --comment "025 dns_out" -j ACCEPT
-A ssh_in -p tcp -m comment --comment "009 ssh_in" -j LOG --log-prefix "ssh_in"
-A ssh_in -p tcp -m comment --comment "011 ssh_in" -j ACCEPT
COMMIT
with no protocol specified rules default to tcp
--------
-A dns_out -p tcp -m comment --comment "024 dns_out" -j LOG --log-prefix "dns_out"
-A dns_out -p tcp -m comment --comment "025 dns_out" -j ACCEPT
-------
with proto => 'any'
------
-A dns_out -m comment --comment "024 dns_out" -j LOG --log-prefix "dns_out"
-A dns_out -m comment --comment "025 dns_out" -j ACCEPT
-----
I get the desired results.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:dns_out - [0:0]
:ssh_in - [0:0]
-A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT
-A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j ACCEPT
-A INPUT -m comment --comment "002 accept related established rules INPUT" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.xx.xx.0/23 -i eth0 -p tcp -m multiport --ports 22 -m comment --comment "005 fwd to ssh in" -m state --state NEW -j ssh_in
-A INPUT -m comment --comment "998 drop all INPUT" -j DROP
-A OUTPUT -m comment --comment "003 accept related established rules OUTPUT" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.xx.xx.2X/32 -o eth0 -p tcp -m multiport --ports 53 -m comment --comment "015 fwd to dns_out" -m state --state NEW -j dns_out
-A OUTPUT -d 10.xx.X0.2x/32 -p udp -m multiport --ports 53 -m comment --comment "016 fwd to dns_out" -j dns_out
-A OUTPUT -d 10.xx.X.2x/32 -o eth0 -p tcp -m multiport --ports 53 -m comment --comment "018 fwd to dns_out" -m state --state NEW -j dns_out
-A OUTPUT -d 10.xx.X.2x/32 -p udp -m multiport --ports 53 -m comment --comment "026 fwd to dns_out" -j dns_out
-A OUTPUT -m comment --comment "999 drop all OUTPUT" -j DROP
-A dns_out -p tcp -m comment --comment "024 dns_out" -j LOG --log-prefix "dns_out"
-A dns_out -p tcp -m comment --comment "025 dns_out" -j ACCEPT
-A ssh_in -p tcp -m comment --comment "009 ssh_in" -j LOG --log-prefix "ssh_in"
-A ssh_in -p tcp -m comment --comment "011 ssh_in" -j ACCEPT
COMMIT
Reply all
Reply to author
Forward
0 new messages