Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firewalld not reloading in 3.0 #38

Closed
ntlug opened this issue Jan 21, 2016 · 11 comments
Closed

Firewalld not reloading in 3.0 #38

ntlug opened this issue Jan 21, 2016 · 11 comments
Labels
bug Something isn't working
Milestone

Comments

@ntlug
Copy link

ntlug commented Jan 21, 2016

Is there anyway to force the firewall-cmd --reload

Here's what I have for a node:

firewalld_service { 'Allow postgresql':
ensure => 'present',
service => 'postgresql',
zone => 'public',
}

did I miss something easy in the docs? I thought I read that on any change a forced reload would get done, or something like that. I need at least a --reload done.

@ntlug
Copy link
Author

ntlug commented Jan 21, 2016

After manually doing a firewalld restart (yes, I even did the full restart)... I see the entries via iptables -L -n, but still can't connect. I'm comparing with our reference (non-puppeted) box and iptables -L -n matches exactly and zones/public.xml look the same.... sigh... but the reference box firewall allows the connection, and our puppeted box does not (sigh). We'll keep looking. But still, didn't seem to do the reload on its own, we forced it.

@allen00se
Copy link

What I have noticed is that the reload isnt enough. I created a service with this puppet module and the config shows up in /etc/firewalld/service/"name of service".xml . At that point I can do a reload or restart and the config still wont take affect. I have to run a

firewall-cmd --permanent --add-service="name of service"
firewall-cmd --reload

in order for the config to actually go into effect.

@gothicx
Copy link
Contributor

gothicx commented Jun 7, 2016

Are you using the latest version of the module? I'm using RHEL7 and I don't have any issues.

https://github.com/gothicx/puppet-firewalld/blob/master/lib/puppet/provider/firewalld_service/firewall_cmd.rb

The code here shows that it's doing a --permanent and a reload afterwards, so you should not have issues.

@BrandonIngalls
Copy link

In testing the latest version 3.0.1 I have been running into this issue with rich rules as well.

[root@blingall-72-2 firewalld]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: 
  ports: 5555/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept
        rule family="ipv4" source address="10.50.55.0/23" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="rpc-bind" accept
        rule family="ipv4" source address="192.168.0.0/16" service name="ssh" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="ssh" accept

[root@blingall-72-2 firewalld]# puppet apply --parser future -e 'include lab_roles::lab_machine'
Notice: Compiled catalog for blingall-72-2.local in environment production in 2.40 seconds
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from campus - tcp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from off campus - udp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from campus - udp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from off campus - tcp]/ensure: created
Notice: Finished catalog run in 10.63 seconds

[root@blingall-72-2 firewalld]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: 
  ports: 5555/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept
        rule family="ipv4" source address="10.50.55.0/23" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="rpc-bind" accept
        rule family="ipv4" source address="192.168.0.0/16" service name="ssh" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="ssh" accept

[root@blingall-72-2 firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <rule family="ipv4">
    <source address="10.0.0.0/8"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="0.0.0.0/0"/>
    <port protocol="tcp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <port protocol="tcp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <port protocol="udp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="0.0.0.0/0"/>
    <port protocol="udp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.55.0/23"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <service name="rpc-bind"/>
    <accept/>
  </rule>
</zone>

Once I issue firewall-cmd --reload the firewall rules are applied.

[root@blingall-72-2 firewalld]# cat /etc/redhat-release 
Red Hat Enterprise Linux Workstation release 7.2 (Maipo)

@crayfishx
Copy link
Contributor

@BrandonIngalls are you sure you are including the firewall class (include firewalld) or are you just defining firewalld_zone resources from the profile without the base class included? If firewalld is included it should farm out to the exec to reload the firewall upon change....

@crayfishx
Copy link
Contributor

crayfishx commented Aug 12, 2016

We do have a problem here, we used to do collector syntax chaining to notify the exec to reload firewalld but now that notify is only valid for resources declared from the class (eg from hiera). The short term solution is to make sure you notify Exec['firewalld::reload'] from the resource declaration. I think the best long term fix is to use the autonotify feature in the firewalld_service type (this I can test tomorrow), that would only be valid for puppet 4.0+ though

@crayfishx
Copy link
Contributor

An easier (and more backwards compatible) fix will be just to reintroduce the chaining dependencies from init.pp that we dropped in 3.0.0, I can do that tomorrow as it's a minor bug fix

crayfishx added a commit that referenced this issue Aug 13, 2016
Set dependencies using resource chaining so that resource
declarations made outside of this class (eg: from the profile)
also get their dependencies set automatically, this addresses
various issues found in

#38
@crayfishx
Copy link
Contributor

@BrandonIngalls does #70 solve this issue for you?

@crayfishx crayfishx added the bug Something isn't working label Aug 13, 2016
@crayfishx crayfishx changed the title On puppet enterprise 3.8.0, CentOS 7 agent, xml file gets set but no firewall-cmd --reload gets done Firewalld not reloading in 3.0 Aug 13, 2016
@crayfishx
Copy link
Contributor

I've changed the topic of this issue to reflect the latest discussion, since the older posts were slightly different and fixed in 2.2

@crayfishx crayfishx added this to the 3.0.3 milestone Aug 13, 2016
@BrandonIngalls
Copy link

@crayfishx PR #70 does resolve this issue for me.

[root@puppet-firewalld-test firewalld-test]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@puppet-firewalld-test firewalld-test]# puppet apply test1.pp                                      
Notice: Compiled catalog for puppet-firewalld-test.local in environment production in 0.91 seconds
Notice: /Stage[main]/Main/Firewalld_rich_rule[Allow IT Access to ALL]/ensure: created
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 2.55 seconds

[root@puppet-firewalld-test firewalld-test]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.50.55.0/24" accept

@crayfishx
Copy link
Contributor

Released in 3.1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

5 participants