Ask Your Question
0

PuppetLabs Firewall - Getting Locked out

asked 2014-07-02 03:18:35 -0500

kemra102 gravatar image

updated 2014-07-02 04:51:22 -0500

I am using the Puppetlabs firewall module to manage our firewall. All servers get our core ruleset:

modules/mycompany/manifests/init.pp:

class mycompany {

  resources { 'firewall': purge => true }
  Firewall {
    before  => Class['mycompany::firewall::post'],
    require => Class['mycompany::firewall::pre'],
  }
  class { ['mycompany::firewall::pre', 'mycompany::firewall::core', 'mycompany::firewall::post']: }

  include mycompany::packages
  include mycompany::sudo
  include mycompany::sshd

}

modules/mycompany/manifests/firewall/pre.pp:

class mycompany::firewall::pre {

  Firewall {
    require => undef,
  }

  firewall { '000 accept all icmp':
    proto   => 'icmp',
    action  => 'accept',
  }
  firewall { '001 accept all to lo interface':
    proto   => 'all',
    iniface => 'lo',
    action  => 'accept',
  }
  firewall { '002 accept related established rules':
    proto   => 'all',
    state   => ['RELATED', 'ESTABLISHED'],
    action  => 'accept',
  }

}

modules/mycompany/manifests/firewall/core.pp:

class mycompany::firewall::core {

  firewall { '100 allow SSH':
    proto   => 'tcp',
    port    => [22],
    action  => 'accept',
  }
  firewall { '101 allow salt-minion communication':
    proto   => 'tcp',
    port    => [4505,4506,4510,4511],
    action  => 'accept',
  }
  firewall { '102 allow DNS UDP':
    proto   => 'udp',
    port    => [53],
    action  => 'accept',
  }
  firewall { '103 allow DNS TCP':
    proto   => 'tcp',
    port    => [53],
    action  => 'accept',
  }
  firewall { '104 allow NTP traffic':
    proto   => 'udp',
    port    => [123],
    action  => 'accept',
  }

}

modules/mycompany/manifests/firewall/post.pp:

class mycompany::firewall::post {

  firewall { '999 drop all':
    proto   => 'all',
    action  => 'drop',
    before  => undef,
  }

}

We also have some rules that are added based on server roles dynamically via hiera:

modules/mycompany/manifests/firewall/puppet.pp:

class mycompany::firewall::puppet {

  firewall { '105 allow puppet communication':
    proto   => 'tcp',
    port    => [8140],
    action  => 'accept',
  }

}

modules/mycompany/manifests/firewall/database.pp:

class mycompany::firewall::database {

  firewall { '106 allow Percona/MySQL communication':
    proto   => 'tcp',
    port    => [3306],
    action  => 'accept',
  }

}

This worked perfectly for 1 server but every server after that no matter the role hung at:

Notice: /Stage[main]/Mycompany/Firewall[9001 fe701ab7ca74bd49f13b9f0ab39f3254]/ensure: removed

My SSH session eventually disconnects with a broken pipe. The puppet server I spun up yesterday was available when I got into the office this morning so it seems they do eventually come back but it takes some time. Is there any reason I am getting cut of like that and is there any way to avoid it?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2014-08-08 16:06:56 -0500

stacybrock gravatar image

I had a similar issue and the answer to this question solved it.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-07-02 03:18:35 -0500

Seen: 1,099 times

Last updated: Jul 02 '14