Ask Your Question
0

firewall rule proto default

asked 2014-12-09 09:46:15 -0600

xlaufol gravatar image

Quick question regarding the handling of proto in puppetlabs-firewalls. If I do a man on ip(6) tables I see:

-p, --protocol protocol
          The  protocol  of  the rule or of the packet to check.  The specified protocol can be one of tcp,
          udp, udplite, icmp, esp, ah, sctp or all, or it can be a numeric value, representing one of these
          protocols  or a different one.  A protocol name from /etc/protocols is also allowed.  A "!" argu-
          ment before the protocol inverts the test.  The number zero is equivalent to all.   Protocol  all
          will match with all protocols and is taken as default when this option is omitted.

And from a quick look at lib/puppet/type/firewalls.rb I see:

newproperty(:proto) do
desc <<-EOS
  The specific protocol to match for this rule. By default this is
  *tcp*.
EOS

newvalues(*[:tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ospf, :gre, :cbt, :all].collect do |proto|
  [proto, "! #{proto}".to_sym]
end.flatten)
defaultto "tcp"

Now, I can edit the file to change the value to defaultto "all", and the rules look something like

firewall { '1990 related established':
  action      => 'accept',
  state       => ['RELATED', 'ESTABLISHED'],
  chain       => 'OUTPUT',
  provider    => 'iptables',
}

The difference in configuration rules (sample system) goes from:

[root@ms1 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
:
:
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           /* 990 related established */ state RELATED,ESTABLISHED 
:
:
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 623 /* 992 ipmi */ state NEW 
:
:
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           /* 999 drop all */ 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
:
:
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           /* 1990 related established */ state RELATED,ESTABLISHED 
:
:
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           /* 1999 drop all */

to:

[root@ms1 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
:
:
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* 990 related established */ state RELATED,ESTABLISHED 
:
:
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 623 /* 992 ipmi */ state NEW 
:
:
DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* 999 drop all */ 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
:
:
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* 1990 related established */ state RELATED,ESTABLISHED 
:
:
DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* 1999 drop all */

but I am not sure if this is desired or even incorrect modification behaviour

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2014-12-16 09:42:03 -0600

xlaufol gravatar image

If anyone else gets this issue in their Firewalls implementation, this was answered on the puppet-users group for me

definitly the wrong place to change a default is to change yourself lib/ puppet/type/firewalls.rb

Use the following in manifests/site.pp (outside a node definition, "top- scope"):

Firewall {
  proto => 'all',
}
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-12-09 09:46:15 -0600

Seen: 480 times

Last updated: Dec 16 '14