Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No firewallchain autorequire for INPUT, OUTPUT and FORWARD when table is :filter to enable DROP policy without blocking #240

Merged
merged 1 commit into from
Sep 13, 2013
Merged

No firewallchain autorequire for INPUT, OUTPUT and FORWARD when table is :filter to enable DROP policy without blocking #240

merged 1 commit into from
Sep 13, 2013

Conversation

doc75
Copy link
Contributor

@doc75 doc75 commented Sep 10, 2013

This modification allows to disable autorequire of firewallchain only for the following:
INPUT:filter:...
OUTPUT:filter:...
FORWARD:filter:...

It allows to specify those firewallchains at the end of all firewall rules (in the my_fw::post for example) with a default DROP policy without blocking everything.

@doc75
ensure INPUT, OUTPUT and FORWARD firewallchain are not autorequired w…
51d5792 
…hen table is :filter (to allow default drop policy at the end of rules)
@kbarber-jenkins-bot
Copy link

Can one of the admins verify this patch?

@doc75
Copy link
Contributor Author

doc75 commented Sep 10, 2013

CLA accepted just after the commit...

@apenney
Copy link
Contributor

apenney commented Sep 13, 2013

Any chance I can get you to explain this a little further? (Sorry, I mostly just do basic stuff with iptables myself). I'm not questioning the value of the contribution/patch, I just want to make sure I can add something to the README to explain this in more detail and I'm not sure I fully understand it.

@apenney
Copy link
Contributor

apenney commented Sep 13, 2013

(note to self, tested with rspec-system, works fine)

@ruckc
Copy link

ruckc commented Sep 13, 2013

Essentially, best practice security says that your firewall defaults to
drop. Therefore, when you create the firewallchain resource with a default
DROP policy, it is executed first, before the accept rules. This means
that when running it via puppet, if doing it through puppet agent -t in
ssh, it stops all communication BEFORE it gets to the action=>accept
firewall resources, which then bricks your server until console access is
attained to shutdown the firewall, and rerun puppet.

Curtis Ruck
Anytime: 210-857-1126

On Fri, Sep 13, 2013 at 1:51 PM, Ashley Penney notifications@github.comwrote:

Any chance I can get you to explain this a little further? (Sorry, I
mostly just do basic stuff with iptables myself). I'm not questioning the
value of the contribution/patch, I just want to make sure I can add
something to the README to explain this in more detail and I'm not sure I
fully understand it.


Reply to this email directly or view it on GitHubhttps://github.com//pull/240#issuecomment-24412268
.

@apenney
Copy link
Contributor

apenney commented Sep 13, 2013

I can see that being kind of a pain. ;)

apenney pushed a commit that referenced this pull request Sep 13, 2013
Merge pull request #240 from doc75/dev_drop_policy
71a6116 
No firewallchain autorequire for INPUT, OUTPUT and FORWARD when table is :filter to enable DROP policy without blocking
@apenney apenney merged commit 71a6116 into puppetlabs:master Sep 13, 2013
@doc75
Copy link
Contributor Author

doc75 commented Sep 13, 2013

@apenney: Thanks a lot for the merge
@ruckc: thanks for providing the explanation to enable the merge.

cegeka-jenkins pushed a commit to cegeka/puppet-firewall that referenced this pull request Oct 23, 2017
Merge pull request puppetlabs#240 from doc75/dev_drop_policy
5e6eeec 
No firewallchain autorequire for INPUT, OUTPUT and FORWARD when table is :filter to enable DROP policy without blocking
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@doc75 @kbarber-jenkins-bot @apenney @ruckc @david22swan