Default iptables rules block traffic on local interface.

[jan0sch]

We just noticed that the default rules for iptables seem to block local traffic. This could be repaired using a simple rule like this:

firewall_rule "allow traffic on local interface" do
  interface 'lo'
  protocol :none
  command :allow
end

Should I create a pull request to include this in the cookbook?

[iennae]

Are you using the default recipe or default resource in this cookbook?

[jan0sch]

We're using the default recipe.

[martinb3]

Hi @jan0sch -- I assume this is with iptables, where loopback isn't allowed by default? I'm wondering if we should apply these kinds of defaults to iptables, firewalld, or both. Ideally, we would need to bump the major version as part of this, so no one is surprised by the new, slightly more open rule.

[jan0sch]

I think this is the case with iptables. I remember explicitely allowing loopback traffic in all iptables scripts back in the day.

[bdwyertech]

Yeh, I was surprised by this, ICMP as well. I've got a little blip I put in my wrapper recipe for this to give parity to UFW. UFW's before chain allows loopback and ICMP.

Flaggable

if platform_family?('rhel')
  firewall_rule 'allow loopback' do
    interface 'lo'
    protocol :none
    command :allow
    only_if { linux? && node['firewall']['allow_loopback'] }
  end

  firewall_rule 'allow icmp' do
    protocol :icmp
    command :allow
    only_if { node['firewall']['allow_icmp'] }
  end
end

On another note, thanks again @martinb3 for maintaining this, it really kicks ass.

[martinb3]

Hi @jan0sch -- could you give master a try and see if it's what you're looking for? Thanks!