We're testing out the Puppetlabs-Firewall module. And it seems I'm either missing something fundamental or Logging/Accpet works/doesn't work in an irregular way. I would be most grateful for some input.
COMMON:
firewall { '002 accept related established rules INPUT': proto => 'all', state => ['RELATED', 'ESTABLISHED'], action => 'accept' }
firewall { '003 accept related established rules OUTPUT': chain => 'OUTPUT', proto => 'all', state => ['RELATED', 'ESTABLISHED'], action => 'accept' }
This works for new inbound SSH connections:
firewall { '007 fwd to ssh_in': chain => 'INPUT', iniface => 'eth0', source => '10.x8.xx1.0/24', proto => 'tcp', state => 'NEW', port => '22', action => 'accept' }
This works for inbound SSH connections:
firewallchain { 'ssh_in:filter:IPv4': ensure => present, }
firewall { '008 fwd to ssh_in': chain => 'INPUT', iniface =>
'eth0', source => '10.x8.xx1.0/24', proto => 'tcp', state =>
'NEW', port => '22', jump => 'ssh_in' }
firewall { '009 ssh_in': chain => 'ssh_in', jump => 'LOG', log_prefix => 'ssh_in ' }
firewall { '011 ssh_in': chain => 'ssh_in', action => 'accept' }
This works for DNS:
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface => 'eth0', destination => '10.x8.x0.x5', proto => 'udp', port => '53', action => 'accept', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface =>
'eth0', destination => '10.x8.x0.x5', proto => 'tcp', state =>
'NEW', port => '53', action => 'accept', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface =>
'eth0', destination => '10.x8.x0.x6', proto => 'udp', port =>
'53', action => 'accept', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface =>
'eth0', destination => '10.x8.x0.x6', proto => 'tcp', state =>
'NEW', port => '53', action => 'accept', }
This does NOT work for DNS:
firewallchain { 'dns_out:filter:IPv4': ensure => present, }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface =>
'eth0', destination => '10.x8.x0.x5', proto => 'udp', port =>
'53', jump => 'dns_out', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface =>
'eth0', destination => '10.x8.x0.x5', proto => 'tcp', state =>
'NEW', port => '53', jump => 'dns_out', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface =>
'eth0', destination => '10.x8.x0.x6', proto => 'udp', port =>
'53', jump => 'dns_out', }
firewall { '016 fwd to dns_out': chain => 'OUTPUT', outiface =>
'eth0', destination => '10.x8.x0.x6', proto => 'tcp', state =>
'NEW', port => '53', jump => 'dns_out', }
firewall { '024 dns_out': chain => 'dns_out', jump => 'LOG', log_prefix => 'dns_out', }
firewall { '025 dns_out': chain => 'dns_out', action => 'accept', }
None of the above rules generates any errors.
My understanding of reading the doc is the default policy is 'accept' when not specified (not sure about custom chains). When I try to connect to the server, I don't see logs being generated.
Thanks,
Jim