We have Puppet set specific firewall rules on our system administrator's workstations. We discovered recently that some systems were connected to the wrong network ports and were able to get admin access to things based on IP address. All of these systems are using Puppet, so we wanted to have Puppet fail if a system is on the admin network and doesn't have the correct firewall rules enabled.
This worked perfectly yesterday and now doesn't work today and I can't figure out why.
We have a factor that creates facts in the format vlan####_interface: eth0 and vlan###_ipaddress: 10.72.1.100 based on the IP addresses actually on the machine.
profile/manifests/firewall_rulesets/vlan2501.pp
class profile::firewall_rulesets::vlan2501 {
firewall{"801 add some example firewall rule":
ensure => present,
chain => 'INPUT',
proto => 'tcp',
dport => '22',
source => ['10.72.1.0/24'],
state => ['NEW'],
action => 'accept',
}
}
profile/manifests/base.pp
class profile::base {
... other stuff ...
Firewall {
before => Class['::fw::post'],
require => Class['::fw::pre'],
}
include ::fw::pre
include ::fw::post
}
fw/manifests/pre.pp
class fw::pre {
Firewall {
require => undef,
}
#ensure input rules are cleaned out, but ignore fail2ban
firewallchain { 'INPUT:filter:IPv4':
ensure => present,
ignore => '-j f2b-sshd',
purge => true,
}
firewallchain { 'f2b-sshd:filter:IPv4':
ignore => '-A f2b-sshd',
}
# Default firewall rules
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}
-> firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
-> firewall { '002 reject local traffic not on loopback interface':
proto => 'all',
iniface => '! lo',
destination => '127.0.0.1/8',
action => 'reject',
}
-> firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
fw/manifests/post.pp
class fw::post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
# This is set to be after all other firewall rules by profile::base
if $facts['vlan2501_ipaddress'] {
if (! defined( Class['profile::firewall_rulesets::vlan2501'] )) {
# We want to fail, not include the missing rules, because we want admins to be forced to verify all the other included manifests and make sure the machine is properly set up
fail( "An interface with an IP address is on VLAN 2501, but does not have the correct firewall rules. ${facts['vlan2501_interface']} => ${facts['vlan2501_ipaddress']}" )
}
}
}
role/manifests/staff_workstation.pp
class role::my_example_machine {
include ::profile::base
include ::profile::firewall_rulesets::vlan2501
... other stuff ...
}
My understanding is that since fw::post is set to require all other Firewall actions, the check for Class['profile::firewall_rulesets::admin_workstation'] should be true even though it is included after profile::base
0 Answers