search

voxpupuli / puppet-firewalld

Puppet module for managing firewalld
Apache License 2.0
39 stars 77 forks source link

firewalld supports the addition of protocols to zones #183

Open vbyrd opened 6 years ago

vbyrd commented 6 years ago

It seems firewalld has had this functionality since "firewalld-0.3.15". I have not been able to find a reference to it in this module. Is there a plan to add this functionality at a later date? I could see common scenarios being the addition of l2tp, gre, and igmp protocols to a zone.

From the firewalld man page: 


        List protocols added for zone as a space separated list. If zone is omitted, default zone will be used. 

[--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]

        Add the protocol for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards. timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h.

        The protocol can be any protocol supported by the system. Please have a look at /etc/protocols for supported protocols.

        The --timeout option is not combinable with the --permanent option. 

[--permanent] [--zone=zone] --remove-protocol=protocol

        Remove the protocol from zone. If zone is omitted, default zone will be used. This option can be specified multiple times. 

[--permanent] [--zone=zone] --query-protocol=protocol

        Return whether the protocol has been added for zone. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise.

Example of /etc/protocols:

# $Id: protocols,v 1.11 2011/05/03 14:45:40 ovasik Exp $
#
# Internet (IP) protocols
#
#       from: @(#)protocols     5.1 (Berkeley) 4/17/89
#
# Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
# Last IANA update included dated 2011-05-03
#
# See also http://www.iana.org/assignments/protocol-numbers

ip      0       IP              # internet protocol, pseudo protocol number
hopopt  0       HOPOPT          # hop-by-hop options for ipv6
icmp    1       ICMP            # internet control message protocol
igmp    2       IGMP            # internet group management protocol
ggp     3       GGP             # gateway-gateway protocol
ipv4    4       IPv4            # IPv4 encapsulation
st      5       ST              # ST datagram mode
tcp     6       TCP             # transmission control protocol
cbt     7       CBT             # CBT, Tony Ballardie <A.Ballardie@cs.ucl.ac.uk>
egp     8       EGP             # exterior gateway protocol
igp     9       IGP             # any private interior gateway (Cisco: for IGRP)
bbn-rcc 10      BBN-RCC-MON             # BBN RCC Monitoring
nvp     11      NVP-II          # Network Voice Protocol
pup     12      PUP             # PARC universal packet protocol
argus   13      ARGUS           # ARGUS
emcon   14      EMCON           # EMCON
xnet    15      XNET            # Cross Net Debugger
chaos   16      CHAOS           # Chaos
udp     17      UDP             # user datagram protocol
mux     18      MUX             # Multiplexing protocol
dcn     19      DCN-MEAS                # DCN Measurement Subsystems
hmp     20      HMP             # host monitoring protocol
prm     21      PRM             # packet radio measurement protocol
xns-idp 22      XNS-IDP         # Xerox NS IDP
trunk-1 23      TRUNK-1         # Trunk-1
trunk-2 24      TRUNK-2         # Trunk-2
leaf-1  25      LEAF-1          # Leaf-1
leaf-2  26      LEAF-2          # Leaf-2
rdp     27      RDP             # "reliable datagram" protocol
irtp    28      IRTP            # Internet Reliable Transaction Protocol
iso-tp4 29      ISO-TP4         # ISO Transport Protocol Class 4
netblt  30      NETBLT          # Bulk Data Transfer Protocol
mfe-nsp 31      MFE-NSP         # MFE Network Services Protocol
merit-inp       32      MERIT-INP               # MERIT Internodal Protocol
dccp    33      DCCP            # Datagram Congestion Control Protocol
3pc     34      3PC             # Third Party Connect Protocol
idpr    35      IDPR            # Inter-Domain Policy Routing Protocol
xtp     36      XTP             # Xpress Tranfer Protocol
ddp     37      DDP             # Datagram Delivery Protocol
idpr-cmtp       38      IDPR-CMTP               # IDPR Control Message Transport Proto
tp++    39      TP++            # TP++ Transport Protocol
il      40      IL              # IL Transport Protocol
ipv6    41      IPv6            # IPv6 encapsulation
sdrp    42      SDRP            # Source Demand Routing Protocol
ipv6-route      43      IPv6-Route              # Routing Header for IPv6
ipv6-frag       44      IPv6-Frag               # Fragment Header for IPv6
idrp    45      IDRP            # Inter-Domain Routing Protocol
rsvp    46      RSVP            # Resource ReSerVation Protocol
gre     47      GRE             # Generic Routing Encapsulation
dsr     48      DSR             # Dynamic Source Routing Protocol
bna     49      BNA             # BNA
esp     50      ESP             # Encap Security Payload
ipv6-crypt      50      IPv6-Crypt              # Encryption Header for IPv6 (not in official list)
ah      51      AH              # Authentication Header
ipv6-auth       51      IPv6-Auth               # Authentication Header for IPv6 (not in official list)
i-nlsp  52      I-NLSP          # Integrated Net Layer Security TUBA
swipe   53      SWIPE           # IP with Encryption
narp    54      NARP            # NBMA Address Resolution Protocol
mobile  55      MOBILE          # IP Mobility
tlsp    56      TLSP            # Transport Layer Security Protocol
skip    57      SKIP            # SKIP
ipv6-icmp       58      IPv6-ICMP               # ICMP for IPv6
ipv6-nonxt      59      IPv6-NoNxt              # No Next Header for IPv6
ipv6-opts       60      IPv6-Opts               # Destination Options for IPv6
#       61                      # any host internal protocol
cftp    62      CFTP            # CFTP
#       63                      # any local network
sat-expak       64      SAT-EXPAK               # SATNET and Backroom EXPAK
kryptolan       65      KRYPTOLAN               # Kryptolan
rvd     66      RVD             # MIT Remote Virtual Disk Protocol
ippc    67      IPPC            # Internet Pluribus Packet Core
#       68                      # any distributed file system
sat-mon 69      SAT-MON         # SATNET Monitoring
visa    70      VISA            # VISA Protocol
ipcv    71      IPCV            # Internet Packet Core Utility
cpnx    72      CPNX            # Computer Protocol Network Executive
cphb    73      CPHB            # Computer Protocol Heart Beat
wsn     74      WSN             # Wang Span Network
pvp     75      PVP             # Packet Video Protocol
br-sat-mon      76      BR-SAT-MON              # Backroom SATNET Monitoring
sun-nd  77      SUN-ND          # SUN ND PROTOCOL-Temporary
wb-mon  78      WB-MON          # WIDEBAND Monitoring
wb-expak        79      WB-EXPAK                # WIDEBAND EXPAK
iso-ip  80      ISO-IP          # ISO Internet Protocol
vmtp    81      VMTP            # Versatile Message Transport
secure-vmtp     82      SECURE-VMTP             # SECURE-VMTP
vines   83      VINES           # VINES
ttp     84      TTP             # TTP
nsfnet-igp      85      NSFNET-IGP              # NSFNET-IGP
dgp     86      DGP             # Dissimilar Gateway Protocol
tcf     87      TCF             # TCF
eigrp   88      EIGRP           # Enhanced Interior Routing Protocol (Cisco)
ospf    89      OSPFIGP         # Open Shortest Path First IGP
sprite-rpc      90      Sprite-RPC              # Sprite RPC Protocol
larp    91      LARP            # Locus Address Resolution Protocol
mtp     92      MTP             # Multicast Transport Protocol
ax.25   93      AX.25           # AX.25 Frames
ipip    94      IPIP            # Yet Another IP encapsulation
micp    95      MICP            # Mobile Internetworking Control Pro.
scc-sp  96      SCC-SP          # Semaphore Communications Sec. Pro.
etherip 97      ETHERIP         # Ethernet-within-IP Encapsulation
encap   98      ENCAP           # Yet Another IP encapsulation
#       99                      # any private encryption scheme
gmtp    100     GMTP            # GMTP
ifmp    101     IFMP            # Ipsilon Flow Management Protocol
pnni    102     PNNI            # PNNI over IP
pim     103     PIM             # Protocol Independent Multicast
aris    104     ARIS            # ARIS
scps    105     SCPS            # SCPS
qnx     106     QNX             # QNX
a/n     107     A/N             # Active Networks
ipcomp  108     IPComp          # IP Payload Compression Protocol
snp     109     SNP             # Sitara Networks Protocol
compaq-peer     110     Compaq-Peer             # Compaq Peer Protocol
ipx-in-ip       111     IPX-in-IP               # IPX in IP
vrrp    112     VRRP            # Virtual Router Redundancy Protocol
pgm     113     PGM             # PGM Reliable Transport Protocol
#       114                     # any 0-hop protocol
l2tp    115     L2TP            # Layer Two Tunneling Protocol
ddx     116     DDX             # D-II Data Exchange
iatp    117     IATP            # Interactive Agent Transfer Protocol
stp     118     STP             # Schedule Transfer
srp     119     SRP             # SpectraLink Radio Protocol
uti     120     UTI             # UTI
smp     121     SMP             # Simple Message Protocol
sm      122     SM              # SM
ptp     123     PTP             # Performance Transparency Protocol
isis    124     ISIS            # ISIS over IPv4
fire    125     FIRE
crtp    126     CRTP            # Combat Radio Transport Protocol
crdup   127     CRUDP           # Combat Radio User Datagram
sscopmce        128     SSCOPMCE
iplt    129     IPLT
sps     130     SPS             # Secure Packet Shield
pipe    131     PIPE            # Private IP Encapsulation within IP
sctp    132     SCTP            # Stream Control Transmission Protocol
fc      133     FC              # Fibre Channel
rsvp-e2e-ignore 134     RSVP-E2E-IGNORE
mobility-header 135     Mobility-Header         # Mobility Header
udplite 136     UDPLite
mpls-in-ip      137     MPLS-in-IP
manet   138     manet           # MANET Protocols
hip     139     HIP             # Host Identity Protocol
shim6   140     Shim6           # Shim6 Protocol
wesp    141     WESP            # Wrapped Encapsulating Security Payload
rohc    142     ROHC            # Robust Header Compression
#   143-252 Unassigned                                       [IANA]
#   253     Use for experimentation and testing           [RFC3692]
#   254     Use for experimentation and testing           [RFC3692]
#   255                 Reserved                             [IANA]
vbyrd commented 6 years ago

After further testing with "custom_service", It seems that you can add a protocol to a custom service without a port defined and it will set it in the protocols sections of the service. This feature was added in merge https://github.com/crayfishx/puppet-firewalld/pull/171. Sorry for not catching this before opening up an issue.

Example manifest:

firewalld::custom_service{'pptp':
        short       => 'pptp',
        description => 'Point to Point Tunneling Protocol',
        port        => [{
            'port'     => '1723',
            'protocol' => 'tcp',
        },
        {
            'port'     => '',
            'protocol' => 'gre',
        }],
    }

...will produce this:

firewall-cmd --info-service=pptp 
pptp
  ports: 1723/tcp
  protocols: gre
  source-ports: 
  modules: 
  destination:

This behavior works great for my best practices as I define everything in services anyway, however, it seems that this does not work directly on a zone (instead of through a service) if one wanted to do so.

Example manifest:

firewalld_port { 'add protocol GRE to the public public zone':
        ensure   => present,
        zone     => 'public',
        protocol => 'gre',
    }

...will error:

Error: Execution of '/bin/firewall-cmd --permanent --zone public --add-port add GRE to the public public zone/gre' returned 102:
Error: Firewalld_port[add GRE to the public public zone]/ensure: change from 'absent' to 'present' failed: Execution of '/bin/firewall-cmd --permanent --zone public --add-port add GRE to the public public zone/gre' returned 102:
nasa-dan commented 2 years ago

BUMP source-ports would be nice to have as well