search

sous-chefs / firewall

Development repository for the firewall cookbook
https://supermarket.chef.io/cookbooks/firewall
Apache License 2.0
99 stars 150 forks source link

Adding a rule on a disabled firewall activates the policy #151

Closed swalberg closed 8 years ago

swalberg commented 8 years ago

Hello! Ran into a regression between 2.5.0 and 2.5.2:

Cookbook version

2.5.2 (does not happen in 2.5.0)

Chef-client version

12.14.89, 12.11.18

Platform Details

CentOS 6.7 and 7.2

Scenario:

If I disable the firewall and a subsequent recipe adds a firewall rule (or rules), the result is that the firewall is started with those rule(s).

Steps to Reproduce:

firewall 'default' do
  action :disable
end

firewall_rule "test" do
  port 9876
  command   :allow
end

Expected Result:

I expect that, at the very least, the firewall would not be running.

Actual Result:

I get a firewall that only allows port 9876:

Converging 2 resources
       Recipe: role-base::seantest
         * firewall_rule[test] action create

       Recipe: role-base::firewall
         * firewall[default] action disable (up to date)
         * service[firewalld] action disable (up to date)
         * service[firewalld] action stop (up to date)
         * file[create empty /etc/sysconfig/firewalld-chef.rules] action create
           - create new file /etc/sysconfig/firewalld-chef.rules
           - update content in file /etc/sysconfig/firewalld-chef.rules from none to fa85ee
           --- /etc/sysconfig/firewalld-chef.rules  2016-09-23 16:05:14.649262948 +0000
           +++ /etc/sysconfig/.chef-firewalld-chef20160923-11272-16be2mj.rules  2016-09-23 16:05:14.649262948 +0000
           @@ -1 +1,2 @@
           +# created by chef to allow service to start
           - restore selinux security context
         * firewall[default] action restart
           * file[/etc/sysconfig/firewalld-chef.rules] action create
             - update content in file /etc/sysconfig/firewalld-chef.rules from fa85ee to c0e8fe
             --- /etc/sysconfig/firewalld-chef.rules    2016-09-23 16:05:14.649262948 +0000
             +++ /etc/sysconfig/.chef-firewalld-chef20160923-11272-1izvi8f.rules    2016-09-23 16:05:14.709292946 +0000
             @@ -1,2 +1,6 @@
             -# created by chef to allow service to start
             +# position 50
             +firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 9876 -m comment --comment 'test' -j ACCEPT
             +firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 9876 -m comment --comment 'test' -j ACCEPT
             +firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 9876 -m comment --comment 'test' -j ACCEPT
             +firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 9876 -m comment --comment 'test' -j ACCEPT
             - restore selinux security context
           * service[firewalld] action enable
             - enable service service[firewalld]
           * service[firewalld] action start
             - start service service[firewalld]

This scenario can happen quite easily if the base firewall settings are configured in a common recipe and firewall rules are added by other cookbooks. The only way to prevent this would be to have a global attribute and only_if conditions.

This happened to us when I upgraded firewall to fix #140 for a box where the firewall was disabled, and the recipe to install the Nagios NRPE daemon tried to open up access to NRPE. As a result, I had a server that would only accept NRPE connections.

swalberg commented 8 years ago

I was looking at this a bit more... is disabled true (or enabled false) also required if we have action :disable?

martinb3 commented 8 years ago

Hi there -- it looks like someone sent the firewall additional actions after :disable:

           * service[firewalld] action enable
             - enable service service[firewalld]
           * service[firewalld] action start
             - start service service[firewalld]

The disabled attribute on the firewall resource is there for this reason -- in case you want to be sure nothing turns the firewall back on through notifications/actions. You should probably use that in this case 👍

martinb3 commented 8 years ago

Let me know if that doesn't solve your issue. Cheers!