Strange behavior from puppetforge firewall module
Chris W
The first are a default set laid down in our home grown ssh module's init.pp -
firewall { '210 TCP - Accept SSH from XXXXX':
state => ['NEW'],
proto => 'tcp',
dport => $ssh_port,
iniface => $ssh_device,
source => 'X.X.X.X',
action => 'accept',
}
firewall { '211 TCP - Accept SSH from YYYYY':
state => ['NEW'],
proto => 'tcp',
dport => $ssh_port,
iniface => $ssh_device,
source => 'Y.Y.Y.Y',
action => 'accept',
}
These rules persist fine., as do these from our iptables pre.pp
firewall { '010 ALL - ACCEPT RELATED and ESTABLISHED':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
# DROP all NetBIOS broadcast
firewall { '020 UDP - DROP NetBIOS Traffic':
proto => 'udp',
port => ['137','138'],
action => 'drop',
}
# ACCEPT all to localhost
firewall { '030 ALL - ACCEPT all to localhost':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
However, the following set laid down from a service module manifests/firewall.pp are flakey -
class s_targetserver_rh6::firewall {
# ACCEPT all to localhost
firewall { '213 ALL - ACCEPT all to P2P3 (HeartBeat Link)':
proto => 'all',
iniface => 'p2p3',
action => 'accept',
}
# Accept ssh from server1
firewall { '216 ALL - ACCEPT AFD monitoring from server1 on management':
state => ['NEW'],
proto => 'tcp',
port => ['4444', '4445', '4446', '4447'],
iniface => 'mangement nic',
source => 'server1 IP',
action => 'accept',
}
# Accept ssh from server2
firewall { '217 ALL - ACCEPT AFD monitoring from server2 on management':
state => ['NEW'],
proto => 'tcp',
port => ['4444', '4445', '4446', '4447'],
iniface => 'management nic',
source => 'server2 IP',
action => 'accept',
}
# Accept ssh from server3 port 4444
firewall { '218 ALL - ACCEPT AFD monitoring from server3 on management':
state => ['NEW'],
proto => 'tcp',
port => ['4444', '4445', '4446', '4447'],
iniface => 'management nic',
source => 'server3 IP',
action => 'accept',
}
# ACCEPT all on BOND1
firewall { '214 ALL - ACCEPT all to BOND1 (DRDB Link)':
proto => 'all',
iniface => 'bond1',
action => 'accept',
}
# ACCEPT ftp on Data
firewall { '215 ALL - ACCEPT FTP on BOND0 (Data Link)':
proto => 'tcp',
port => '21',
iniface => 'bond0',
action => 'accept',
}
}
AFD is file distribution software from Deutscher Wetterdienst.
If I do iptables -F on the box, these are reliably applied but, during a random Puppet Agent run they are subsequently removed.
Later, again at random, they are reapplied.
I've just updated the firewall module, so we are running on version 0.4.2.
Anyone else seen this sort of behaviour or have any suggestions?
Felix Frank
this hasn't been solved yet, has it?
What version of puppet is this (master+agent), how is the master laid
out (passenger?) and how are your manifests structured? Are you relying
on import somewhere e.g.?
Thanks,
Felix
Chris W
Puppet master is 3.0.2
Puppet agent is 3.0.2
OS is RHEL6
Node manifests are flat files under a GIT repo.
Overarching firewall rules are applied by an ssh module from manifests/init.pp to allow ssh access from management servers, this works all the time.
Service specific firewall rules are laid down from a services module.
I tried calling the service::firewall.pp from the service::init.pp but this resulted in the above behaviour.
I ended up having to do an include of the service::firewall from the node manifest
Felix Frank
the manifest layout sounds sane enough. Is this a passenger setup?
On 02/12/2014 03:56 PM, Chris W wrote:
> Puppet master is 3.0.2
> /service/::firewall from the node manifest
So is this working for you now?
If not, I seem to remember that 3.0.x had certain issues, not sure if
this kind of craziness was among them.
Can you try upgrading to 3.2 or later?
Cheers,
Felix
Chris W
We're not using passenger.
It's working, but not quite what you would call stable, still see this in the logs sometimes -
Feb 11 11:22:26 xxxxxxx01 puppet-agent[2135]: (/Firewall[030 ALL - ACCEPT all to localhost]/ensure) created
Feb 11 11:22:26 xxxxxxx01 puppet-agent[2135]: (/Firewall[010 ALL - ACCEPT RELATED and ESTABLISHED]/ensure) created
Feb 11 11:22:27 xxxxxxx01 puppet-agent[2135]: (/Firewall[211 TCP - Accept SSH from yyyyyyy01]/ensure) created
Feb 11 11:22:28 xxxxxxx01 puppet-agent[2135]: (/Firewall[213 ALL - ACCEPT all to P2P3 (HeartBeat Link)]/ensure) created
Feb 11 11:22:28 xxxxxxx01 puppet-agent[2135]: (/Firewall[216 ALL - ACCEPT AFD monitoring from xxxxxxx on management]/ensure) created
Feb 11 11:22:29 xxxxxxx01 puppet-agent[2135]: (/Firewall[020 UDP - DROP NetBIOS Traffic]/ensure) created
Feb 11 11:22:29 xxxxxxx01 puppet-agent[2135]: (/Firewall[990 ALL - JUMP to LOG CHAIN]/ensure) created
Feb 11 11:22:30 xxxxxxx01 puppet-agent[2135]: (/Firewall[991 ALL - DROP ALL]/ensure) created
Feb 11 11:22:30 xxxxxxx01 puppet-agent[2135]: (/Firewall[217 ALL - ACCEPT AFD monitoring from xxxxxxx2 on management]/ensure) created
Feb 11 11:22:31 xxxxxxx01 puppet-agent[2135]: (/Firewall[218 ALL - ACCEPT AFD monitoring from xxxxxxx01 on management]/ensure) created
Feb 11 11:22:32 xxxxxxx01 puppet-agent[2135]: (/Firewall[215 ALL - ACCEPT FTP on BOND0 (Data Link)]/ensure) created
Feb 11 11:22:44 xxxxxxx01 puppet-agent[2135]: (/Firewall[214 ALL - ACCEPT all to BOND1 (DRDB Link)]/ensure) created
Feb 11 11:22:46 xxxxxxx01 puppet-agent[2135]: (/Firewall[210 TCP - Accept SSH from zzzzzz01]/ensure) created
Feb 11 11:22:47 xxxxxxx01 puppet-agent[2135]: Finished catalog run in 27.28 seconds
but at least they aren't being removed :-)
We do plan to move to a newer version when we have time, but it's on a pretty long list of to do's.
Cheers
Chris