search

sous-chefs / firewall

Development repository for the firewall cookbook
https://supermarket.chef.io/cookbooks/firewall
Apache License 2.0
99 stars 150 forks source link

Default firewall install with attribute allowing SSH to work fails on CentOS 7 #103

Closed jasonmcintosh closed 9 years ago

jasonmcintosh commented 9 years ago

On a clean CentOS 7.1.1503 box with nothing else applied, the firewall log shows that the rule: allow world to ssh is applied to the server. However, it appears that the firewall is turned on and SSH is NOT allowed. The only file I see is /etc/sysconfig/firewalld-chef.rules - the main /etc/sysconfig/firewalld has not been modified. The output of: firewall-cmd --list-all:

drop (default, active)
 interfaces: eno1234567
 sources:
 services:
 ports:
 masquerade: no
 forward-ports:
 icmp-blocks:
 rich-rules:

node attributes for firewall:

firewall
allow_ssh: true
allow_winrm: false
ubuntu_iptables: false
allow_established: true
ipv6_enabled: true
iptables
ufw
martinb3 commented 9 years ago

Hello! We're testing for this in each integration test, so I'm surprised it isn't enabled. Do you have a chef log of the rule being applied or skipped? Or an example cookbook demonstrating the problem? And can you confirm the firewall rules weren't manipulated outside of Chef?

Also, the firewalld logic was contributed by the community includes a :save action, that will make the rules persistent (as I understand it, firewalld has both persistent and non-persistent rules). If a server was rebooted, it would come up in the way you describe.

jasonmcintosh commented 9 years ago

Interestingly enough, I downloaded the clean stuff for this in vagrant. As a guess maybe because vagrant doesn't actually use a normal TCP connection, the integration tests aren't catching this. At least, a kitchen converge default-centos-71 and vagrant login shows the same values.

jasonmcintosh commented 9 years ago

Full log:

      Synchronizing Cookbooks:
         - firewall-test (1.0.0)
         - chef-sugar (3.1.1)
         - firewall (2.1.0)
       Compiling Cookbooks...
       Recipe: chef-sugar::default

           - install version 3.1.1 of package chef-sugar
       [2015-10-23T17:56:59+00:00] WARN: Cloning resource attributes for firewall[default] from prior resource (CHEF-3694)
       [2015-10-23T17:56:59+00:00] WARN: Previous firewall[default]: /tmp/kitchen/cache/cookbooks/firewall/recipes/default.rb:22:in `from_file'
       [2015-10-23T17:56:59+00:00] WARN: Current  firewall[default]: /tmp/kitchen/cache/cookbooks/firewall-test/recipes/default.rb:4:in `from_file'
       [2015-10-23T17:56:59+00:00] WARN: Cloning resource attributes for firewall_rule[duplicate0] from prior resource (CHEF-3694)
       [2015-10-23T17:56:59+00:00] WARN: Previous firewall_rule[duplicate0]: /tmp/kitchen/cache/cookbooks/firewall-test/recipes/default.rb:53:in `block in from_file'
       [2015-10-23T17:56:59+00:00] WARN: Current  firewall_rule[duplicate0]: /tmp/kitchen/cache/cookbooks/firewall-test/recipes/default.rb:59:in `block in from_file'
       [2015-10-23T17:56:59+00:00] WARN: Cloning resource attributes for firewall_rule[duplicate1] from prior resource (CHEF-3694)
       [2015-10-23T17:56:59+00:00] WARN: Previous firewall_rule[duplicate1]: /tmp/kitchen/cache/cookbooks/firewall-test/recipes/default.rb:53:in `block in from_file'
       [2015-10-23T17:56:59+00:00] WARN: Current  firewall_rule[duplicate1]: /tmp/kitchen/cache/cookbooks/firewall-test/recipes/default.rb:59:in `block in from_file'
         Converging 21 resources
        (up to date)
       Recipe: firewall::default
         * firewall[default] action install
           - install firewalld, create template for /etc/sysconfig
        (up to date)

           - enable service service[firewalld]

           - start service service[firewalld]
         * file[create empty /etc/sysconfig/firewalld-chef.rules] action create

           - update content in file /etc/sysconfig/firewalld-chef.rules from none to fa85ee
           --- /etc/sysconfig/firewalld-chef.rules  2015-10-23 17:57:07.059157824 +0000
           +++ /etc/sysconfig/.firewalld-chef.rules20151023-11125-lc8ceu    2015-10-23 17:57:07.059157824 +0000
           @@ -1 +1,2 @@

         * firewall_rule[allow world to ssh] action create

         * firewall_rule[allow world to winrm] action create (skipped due to only_if)
         * firewall_rule[established] action create

         * firewall_rule[ipv6_icmp] action create

       Recipe: firewall-test::default
         * firewall[default] action install[2015-10-23T17:57:07+00:00] WARN: Cloning resource attributes for yum_package[firewalld] from prior resource (CHEF-3694)
       [2015-10-23T17:57:07+00:00] WARN: Previous yum_package[firewalld]: /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:34:in `block (2 levels) in <class:FirewallFirewalld>'
       [2015-10-23T17:57:07+00:00] WARN: Current  yum_package[firewalld]: /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:34:in `block (2 levels) in <class:FirewallFirewalld>'
       [2015-10-23T17:57:07+00:00] WARN: Cloning resource attributes for service[firewalld] from prior resource (CHEF-3694)
       [2015-10-23T17:57:07+00:00] WARN: Previous service[firewalld]: /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:38:in `block (2 levels) in <class:FirewallFirewalld>'
       [2015-10-23T17:57:07+00:00] WARN: Current  service[firewalld]: /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:38:in `block (2 levels) in <class:FirewallFirewalld>'
       [2015-10-23T17:57:07+00:00] WARN: Cloning resource attributes for file[create empty /etc/sysconfig/firewalld-chef.rules] from prior resource (CHEF-3694)
       [2015-10-23T17:57:07+00:00] WARN: Previous file[create empty /etc/sysconfig/firewalld-chef.rules]: /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:42:in `block (2 levels) in <class:FirewallFirewalld>'
       [2015-10-23T17:57:07+00:00] WARN: Current  file[create empty /etc/sysconfig/firewalld-chef.rules]: /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:42:in `block (2 levels) in <class:FirewallFirewalld>'

           - install firewalld, create template for /etc/sysconfig
         * yum_package[firewalld] action install (up to date)
        (up to date)
        (up to date)
         * file[create empty /etc/sysconfig/firewalld-chef.rules] action create (skipped due to not_if)
         * firewall_rule[ssh22] action create

         * firewall_rule[ssh2222] action create

         * firewall_rule[temp1] action create

         * firewall_rule[temp2] action create

         * firewall_rule[addremove] action create

         * firewall_rule[addremove2] action create

         * firewall_rule[prepend] action create

         * firewall_rule[duplicate0] action create

         * firewall_rule[duplicate0] action create

         * firewall_rule[duplicate1] action create (up to date)
         * firewall_rule[duplicate1] action create (up to date)
         * firewall_rule[block-192.168.99.99] action create

         * firewall_rule[ipv6-source] action create

         * firewall[default] action restart
           * file[/etc/sysconfig/firewalld-chef.rules] action create
             - update content in file /etc/sysconfig/firewalld-chef.rules from fa85ee to d2321f
             --- /etc/sysconfig/firewalld-chef.rules    2015-10-23 17:57:07.059157824 +0000
             +++ /etc/sysconfig/.firewalld-chef.rules20151023-11125-1ykzfit 2015-10-23 17:57:07.876566296 +0000
             @@ -1,2 +1,30 @@
             -# created by chef to allow service to start
             +# position 5
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 5 -p tcp -m tcp -m multiport --dports 7788 -m comment --comment 'prepend' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 5 -p tcp -m tcp -m multiport --dports 7788 -m comment --comment 'prepend' -j ACCEPT
             +# position 49
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 49 -s 192.168.99.99/32 -p tcp -m tcp -m comment --comment 'block-192.168.99.99' -j REJECT
             +# position 50
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'allow world to ssh' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -m state --state RELATED,ESTABLISHED -m comment --comment 'established' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -m state --state RELATED,ESTABLISHED -m comment --comment 'established' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p ipv6-icmp -m comment --comment 'ipv6_icmp' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh22' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh22' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 2200,2222 -m comment --comment 'ssh2222' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 2200,2222 -m comment --comment 'ssh2222' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1234 -m comment --comment 'temp1' -j DROP
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1234 -m comment --comment 'temp1' -j DROP
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1235 -m comment --comment 'temp2' -j REJECT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1235 -m comment --comment 'temp2' -j REJECT
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1236 -m comment --comment 'addremove' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1236 -m comment --comment 'addremove' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1236 -m comment --comment 'addremove2' -j DROP
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1236 -m comment --comment 'addremove2' -j DROP
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p 112 -m comment --comment 'protocolnum' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p 112 -m comment --comment 'protocolnum' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 1111 -m comment --comment 'same comment' -j ACCEPT
       comment --comment 'same comment' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 5431,5432 -m comment --comment 'same comment' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 5431,5432 -m comment --comment 'same comment' -j ACCEPT

             - restore selinux security context
       [2015-10-23T17:57:07+00:00] WARN: Cloning resource attributes for service[firewalld] from prior resource (CHEF-3694)
       [2015-10-23T17:57:07+00:00] WARN: Previous service[firewalld]: /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:38:in `block (2 levels) in <class:FirewallFirewalld>'
       [2015-10-23T17:57:07+00:00] WARN: Current  service[firewalld]: /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:69:in `block in <class:FirewallFirewalld>'
jasonmcintosh commented 9 years ago

kitchen login default-centos-71

Last login: Fri Oct 23 18:22:40 2015 from 10.0.2.2 [vagrant@default-centos-71 ~]$ firewall-cmd --list-all drop (default, active) interfaces: enp0s3 sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules:

martinb3 commented 9 years ago

@jasonmcintosh What happens if you run this?

[root@default-centos-71 ~]# iptables -L -n | grep 22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 22 /* ssh22 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 2200,2222 /* ssh2222 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 22 /* allow world to ssh */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

I'm seeing the rules pass through from firewalld to iptables.

martinb3 commented 9 years ago

Can you also try this and see if you get an error that the rule is already active?

[root@default-centos-71 sysconfig]# firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'allow world to ssh' -j ACCEPT
Warning: ALREADY_ENABLED
jasonmcintosh commented 9 years ago

on default-centos-71 iptables -L -n | grep 22 results:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 22 /* ssh22 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 2200,2222 /* ssh2222 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 22 /* allow world to ssh */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

On a MINIMAL centos71 install, that returns nothing.

Running the firewall-cmd on the vagrant server: Warning: ALREADY_ENABLED

On the minimal install of centos-71 success and afterwards, ssh'ing to the box works.

jasonmcintosh commented 9 years ago

Note, after I ran the firewall-cmd, THEN the iptables returns the ACCEPT rule on the minimal install.

jasonmcintosh commented 9 years ago

More logs from the initial run:

  Recipe: firewall::default
   * firewall[default] action install
     - install firewalld, create template for /etc/sysconfig
   * yum_package[firewalld] action install (up to date)
   * service[firewalld] action enable (up to date)
   * service[firewalld] action start (up to date)
   * file[create empty /etc/sysconfig/firewalld-chef.rules] action create
     - create new file /etc/sysconfig/firewalld-chef.rules
     - update content in file /etc/sysconfig/firewalld-chef.rules from none to fa85ee
     --- /etc/sysconfig/firewalld-chef.rules2015-10-22 12:51:05.488985221 -0400
     +++ /etc/sysconfig/.firewalld-chef.rules20151022-13032-1kyf5wo2015-10-22 12:51:05.488985221 -0400
     @@ -1 +1,2 @@
     +# created by chef to allow service to start
     - restore selinux security context
   * firewall_rule[allow world to ssh] action create

   * firewall_rule[allow world to winrm] action create (skipped due to only_if)
   * firewall_rule[established] action create 

Recipe: firewall::default
   * firewall[default] action restart
     * file[/etc/sysconfig/firewalld-chef.rules] action create
       - update content in file /etc/sysconfig/firewalld-chef.rules from fa85ee to a219e2
       --- /etc/sysconfig/firewalld-chef.rules2015-10-22 12:51:05.488985221 -0400
       +++ /etc/sysconfig/.firewalld-chef.rules20151022-13032-1w4acs32015-10-22 12:51:08.722985298 -0400
       @@ -1,2 +1,5 @@
       -# created by chef to allow service to start
       +# position 50
       +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'allow world to ssh' -j ACCEPT
       +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -m state --state RELATED,ESTABLISHED -m comment --comment 'established' -j ACCEPT
       +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -m state --state RELATED,ESTABLISHED -m comment --comment 'established' -j ACCEPT
       - restore selinux security context
 [2015-10-22T12:51:08-04:00] WARN: Cloning resource attributes for service[firewalld] from prior resource (CHEF-3694)
 [2015-10-22T12:51:08-04:00] WARN: Previous service[firewalld]: /var/chef/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:38:in `block (2 levels) in <class:FirewallFirewalld>'
 [2015-10-22T12:51:08-04:00] WARN: Current  service[firewalld]: /var/chef/cache/cookbooks/firewall/libraries/provider_firewall_firewalld.rb:69:in `block in <class:FirewallFirewalld>'
martinb3 commented 9 years ago

On a MINIMAL centos71 install, that returns nothing.

Can you tell me exactly what image you're using so I can reproduce? Is it one of the minimal ones listed here?

jasonmcintosh commented 9 years ago

OK found the issue - tested with the CentOS-7-Vagrant-1505-x86_64-01.box available here: http://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-Vagrant-1505-x86_64-01.box

It IS a reboot issue - if you reboot after the firewall::default install you get locked out of the machine. SO after the server reboots, it loses access. And additional chef runs don't re-open the firewall rules.

On this case - it sounds like these really need to be persistent rules by default.

martinb3 commented 9 years ago

@yinym & @rdoorn -- could you comment on this issue? Should firewalld rules be persistent by default?

rdoorn commented 9 years ago

@martinb3 Indeed firewalld rules should always be written in both non-persistant aswell as persistant rules. non-persistant rules is whats currently active, and persistant is what is active after a reboot. updating both when modifying the rules makes the most sense.

jasonmcintosh commented 9 years ago

Particularly if any recipe were to do a reboot for some reason, that means your rules are essentially ignored or only temporary. I'm working on a patch to add an attribute defaulted to true which sets this.

jasonmcintosh commented 9 years ago

https://github.com/chef-cookbooks/firewall/pull/104

martinb3 commented 9 years ago

I'm good with merging #104, but I just asked there about SemVer and what kind of change we should make this.

martinb3 commented 9 years ago

I've merged in #104. Releasing it after some final testing. Thanks!