Firewall rules have to be handled differently in RHEL/Centos 7.3+

[ptemmer]

When a cloud provider can handle security towards server instances, we "flush" the local server firewalls rules using concerto cli, upon booting. We do not really flush the rules, we just set the default policy to "accept" traffic.

Expected Behavior

When "flushing" firewall rules, all incoming traffic should be allowed.

Current Behavior

As we do not really flush, but just set the default policy to allow, we encounter a problem in RHEL as there is a "catch all"-rule that rejects traffic that did not match any earlier rules. As a consequence, the default allow policy is never applied, and traffic is being denied, such as Zabbix traffic.

Possible Solution

RHEL and Centos have a different way of configuring their firewall. Under the hood they are using "iptables" just as Debian/Ubuntu, however it is being managed on a higher level by firewalld.

In case of RHEL/Centos AND if the firewalld service is being enabled, the following command configures the server to trust all incoming traffic:

firewall-cmd --set-default-zone=trusted

Steps to Reproduce (for bugs)

1. Provision a RHEL server
2. Verify that Zabbix monitoring data is not being fetched from the server
3. Disable the firewall and verify that monitoring data is coming in
4.

Context and environment