Firewall rule proto default
91 views
Skip to first unread message
Laurence Foley
Dec 15, 2014, 5:16:44 AM12/15/14
to puppet...@googlegroups.com
Opening this question that I posted on the ask site to a wider (?) audience:
Quick question regarding the handling of proto in puppetlabs-firewalls. If I do a man on ip(6) tables I see:
And from a quick look at lib/puppet/type/firewalls.rb I see:
Now, I can edit the file to change the value to defaultto "all", and the rules look something like
The difference in configuration rules (sample system) goes from:
to:
but I am not sure if this is desired or even incorrect modification behaviour
Quick question regarding the handling of proto in puppetlabs-firewalls. If I do a man on ip(6) tables I see:
-p, --protocol protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argu- ment before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.
And from a quick look at lib/puppet/type/firewalls.rb I see:
newproperty(:proto) do desc <<-EOS The specific protocol to match for this rule. By default this is *tcp*. EOS newvalues(*[:tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ospf, :gre, :cbt, :all].collect do |proto| [proto, "! #{proto}".to_sym] end.flatten) defaultto "tcp"
Now, I can edit the file to change the value to defaultto "all", and the rules look something like
firewall { '1990 related established': action => 'accept', state => ['RELATED', 'ESTABLISHED'], chain => 'OUTPUT', provider => 'iptables', }
The difference in configuration rules (sample system) goes from:
[root@ms1 ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination : : ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* 990 related established */ state RELATED,ESTABLISHED : : ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 623 /* 992 ipmi */ state NEW : : DROP tcp -- 0.0.0.0/0 0.0.0.0/0 /* 999 drop all */ Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination : : ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* 1990 related established */ state RELATED,ESTABLISHED : : DROP tcp -- 0.0.0.0/0 0.0.0.0/0 /* 1999 drop all */
to:
[root@ms1 ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination : : ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 990 related established */ state RELATED,ESTABLISHED : : ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 623 /* 992 ipmi */ state NEW : : DROP all -- 0.0.0.0/0 0.0.0.0/0 /* 999 drop all */ Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination : : ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 1990 related established */ state RELATED,ESTABLISHED : : DROP all -- 0.0.0.0/0 0.0.0.0/0 /* 1999 drop all */
but I am not sure if this is desired or even incorrect modification behaviour
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Thomas Müller
Dec 16, 2014, 1:39:17 AM12/16/14
to puppet...@googlegroups.com
> And from a quick look at lib/puppet/type/firewalls.rb I see:
>
>
> newproperty(:proto) do desc <<-EOS The specific protocol to match for
> this rule. By default this is *tcp*. EOS newvalues(*[:tcp, :udp, :icmp,
> :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ospf, :gre, :cbt,
> :all].collect do |proto| [proto, "! #{proto}".to_sym] end.flatten)
> defaultto "tcp"
>
>
>
>
> Now, I can edit the file to change the value to defaultto "all", and the
> rules look something like
>
> firewall { '1990 related established': action => 'accept', state =>
> ['RELATED', 'ESTABLISHED'], chain => 'OUTPUT', provider => 'iptables', }
>
>
puppet/type/firewalls.rb
Use the following in manifests/site.pp (outside a node definition, "top-
scope"):
Firewall {
proto => 'all',
}
https://docs.puppetlabs.com/puppet/latest/reference/lang_defaults.html
https://docs.puppetlabs.com/guides/style_guide.html#resource-defaults
regards
- Thomas
Laurence Foley
Dec 16, 2014, 10:39:29 AM12/16/14
to puppet...@googlegroups.com
Thanks Thomas,
That has done the trick.
That has done the trick.
Reply all
Reply to author
Forward
0 new messages