Puppetlabs Firewall
39 views
Skip to first unread message
Marco
Sep 10, 2014, 10:16:20 AM9/10/14
to puppe...@googlegroups.com
Hi,
i actually try to work with the puppetlabs firewall. I am also working with vagrant, so port 22 has to be opened all the time. But I want to reject any further connection possibilities.
Working with puppetlabs-firewall 1.1.3 and puppet 2.7.23
So the perfekt way for me would be to work with Inversion, like: (https://github.com/puppetlabs/puppetlabs-firewall/blob/master/README.markdown#rule-inversion)
firewall { '000 drop all except TCP 22':
action => 'drop',
iniface => 'eth0',
proto => '! TCP'
port => ['! 22'],
}
But this does not work. Always an error that these are no possible arguments.
If i work with
firewall { '000 drop all':
action => 'drop',
iniface => 'eth0',
proto => 'all'
}
and
firewall { '000 accept TCP 22':
action => 'accept',
iniface => 'eth0',
proto => 'tcp'
port => [22],
}
the connection is lost, and i could not connect via port 22 again.
Could somebody help me? Do not know how to handle this situation.
Greets,
Marco
i actually try to work with the puppetlabs firewall. I am also working with vagrant, so port 22 has to be opened all the time. But I want to reject any further connection possibilities.
Working with puppetlabs-firewall 1.1.3 and puppet 2.7.23
So the perfekt way for me would be to work with Inversion, like: (https://github.com/puppetlabs/puppetlabs-firewall/blob/master/README.markdown#rule-inversion)
firewall { '000 drop all except TCP 22':
action => 'drop',
iniface => 'eth0',
proto => '! TCP'
port => ['! 22'],
}
But this does not work. Always an error that these are no possible arguments.
If i work with
firewall { '000 drop all':
action => 'drop',
iniface => 'eth0',
proto => 'all'
}
and
firewall { '000 accept TCP 22':
action => 'accept',
iniface => 'eth0',
proto => 'tcp'
port => [22],
}
the connection is lost, and i could not connect via port 22 again.
Could somebody help me? Do not know how to handle this situation.
Greets,
Marco
Felix Frank
Sep 10, 2014, 11:01:36 AM9/10/14
to puppe...@googlegroups.com
Hi,
this is more of a puppet-users question, actually.
On 09/10/2014 04:16 PM, Marco wrote:
> firewall { '000 drop all except TCP 22':
> action => 'drop',
> iniface => 'eth0',
> proto => '! TCP'
> port => ['! 22'],
> }
This would not do what you think it does, anyway. It targets packages
that are neither TCP nor Port 22, so all of TCP would still be accepted.
Also udp/22 :-)
> firewall { '000 drop all':
> action => 'drop',
> iniface => 'eth0',
> proto => 'all'
> }
>
> and
>
> firewall { '000 accept TCP 22':
> action => 'accept',
> iniface => 'eth0',
> proto => 'tcp'
> port => [22],
> }
They share the same priority. Why? The Whitelisting rule should always
precede the catch-all drop.
Have you tried '999 drop all'?
Best,
Felix
this is more of a puppet-users question, actually.
On 09/10/2014 04:16 PM, Marco wrote:
> firewall { '000 drop all except TCP 22':
> action => 'drop',
> iniface => 'eth0',
> proto => '! TCP'
> port => ['! 22'],
> }
that are neither TCP nor Port 22, so all of TCP would still be accepted.
Also udp/22 :-)
> firewall { '000 drop all':
> action => 'drop',
> iniface => 'eth0',
> proto => 'all'
> }
>
> and
>
> firewall { '000 accept TCP 22':
> action => 'accept',
> iniface => 'eth0',
> proto => 'tcp'
> port => [22],
> }
precede the catch-all drop.
Have you tried '999 drop all'?
Best,
Felix
Reply all
Reply to author
Forward
0 new messages