-
-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot get working with custom JSON objects (Documentation confusion) #205
Comments
Hi there -- it's true, firewalld is a wrapper on the same kernel structures as iptables ;) While there is a zone attribute on the firewall resource, I haven't tested this cookbook with multiple NICs or multiple/custom zones. The operative code for writing rules, that we'd need to make zone-aware, is at https://github.com/chef-cookbooks/firewall/blob/master/libraries/helpers_firewalld.rb#L77. It looks like we'd need to add a zone parameter to the firewall_rule resource, and then in that code I linked, add support for This cookbook was meant to be a first approximation to the general idea of a firewall across a bunch of different OSes and firewall implementations, but using multiple zones is stretching it. If it saves you some pain, there may be a firewalld-only cookbook that has deeper support for firewalld-specific concepts. I'm happy to review & test a PR if you're interested in taking a shot at support for this in the firewall cookbook 👍 |
Thanks for your feedback. I completely understand. I was trying to use this cookbook due to being more abstract but I can see how my needs are a bit tightly coupled to firewalld. If it's just modifying that method to add in the My last part for this is some clarification then. I assume, that I only need 1:
In my loop I am doing:
but that seems not necessary at all. I just need to loop over the rules and apply them Adding the By using Just trying to clear up some confusion. To me, it seems I only need 1 declaration of Thanks again |
Cookbook version
2.7.0
Chef-client version
14.9.13
Platform Details
CentOS7
Scenario:
Not sure if it's just me but the instructions are not very clear but I gave it the old college try...
What I am trying to do is build a recipe that allows me to use data_bags and environments to specify rules. Most of the nodes are going to be CentOS 7 but I have a few Ubuntu 16 too (maybe different versions pending third-party software). Most nodes will have 2 NICs, 1 with zone
public
and another withtrusted
.During development, I used rspec and everything worked as expected. When I went to Test Kitchen, well, that's when I found out nothing was working. So I shelled into the node and realized no rules were being applied.
Ideally, I first want the default zone to be
:public
.Then I wanted to apply rules to each zone from the json objects. For this ticket, I only have public defined but this is still problematic.
When testing with rspec, it all looked good.
When I used Test Kitchen, I can sometimes get the zone to be public. I can also see the rules in iptables but they don't seem to be zone specific?
Hopefully I am just doing something stupid or am not clear on this part. I am hoping for a push in the right direction here... Or at least clarify the documentation a bit because it seems incomplete and no working examples.
Thanks for your time.
An example of an environment (dev):
The above environment has a firewall zone config that opens up port
22
for all private IP addresses.An example of a data_bag (firewall:global) is:
Ideally, this allows global rules to be applied to the recipe.
The cookbook I am working on (It's been modified a bit from different tickets and google results, this is my current version):
My rspec test (replaced IPs but should work the same):
I do see output like it is being applied when running Test Kitchen:
(removed some personal IPs from the output)
It seems the rules are in
iptables
(didn't realize firewalld was a wrapper for iptables?) but the rules don't appear to be locked to a zone. Meaning, when I use on a node with 2 NICs, the rules are applied to both NICs (they are in 2 different zones)Expected Result:
I expect the default zone to be public and my ips to be whitelisted. I expected my rules to be locked to the specified zone and be permanent.
Actual Result:
Default zone stays
drop
and no rules are applied. Sometimes, through many edits, I can get the zone to be public but no rules are applied. Just seems some clarification or better examples in the documentation would help a lot.The text was updated successfully, but these errors were encountered: