Simple Firewall Configuration #157
Conversation
|
@arcsector Thanks for creating this PR. I've wanted this for some time. I was going through this, and I have a few thoughts. The group_vars for Indexers, Heavy Forwarders and search heads have a lot of things in common. How about we put the common ones in In general, I wanted to add some vars that disable the web interface for IDX and HF as the default, as well as Side note. Can you please for your repo directly from this one instead of the one from @zyphermonkey? This will prevent conflicts, and will be easier to be in sync with this upstream repo. |
- Firewalld Services instead of ephemeral commands - New port format to specify protocol for modularity - Defaults to UFW and if RHEL uses firewalld - Added default firewall ports per group var - Checks to see if firewall package is installed and service is running and enabled
I have the common ones in
I would like to do that, but I feel like that should be a separate PR which adds that config not just in the firewall config but also in
Will do. |
- port proto combos predefined and referenced - super user privileges for handlers and package interactions
|
Why aren't we just using the idempotent |
|
In my estimation Firewalld services are much more useful in terms of their overall introspection capabilities as well as their ease of modification and legibility. In addition, services are the best-practice in firewalld for things that are supposed to be associated with a given process. Say for example we're not just installing splunk on here, but also mysql. I can have a service file for splunk and then one for mysql which identify each port as being associated with that application, which i can then make modifications to or disable/enable independently of one another. A more targeted approach for extensible environments with a lot of firewall configs. |
As @arcsector said. Although using the firewall plugin would may seem to be the simpler way, but when configuring multiple ports for a specific application, the recommended method from the OS side is services. Also, running the Any experienced sys-admin would know exactly where to look and what to look for. |
- SSH Allow in UFW - Make Firewalld aware of service - Removing unnecessary reload handle of UFW - Adding RHEL 8 firewall_service
| splunkapi_port: {protocol: "tcp", number: "{{ splunkd_port }}"} | ||
| splunkidxcrep_port: {protocol: "tcp", number: "{{ splunk_idxc_rep_port }}"} | ||
| splunkshcrep_port: {protocol: "tcp", number: "{{ splunk_shc_rep_port }}"} | ||
| splunk_firewall_ports: # List of ports to allow through local firewall in dict form |
There was a problem hiding this comment.
Do we really need to define this? This will open the ports on UFs, and since the UF is no longer listening on 0.0.0.0:8089 by default, I don't think we need that.
There was a problem hiding this comment.
Thankfully it will not - in configure_os.yml I have this so that we don't install the firewall unless it's in the full category:
- name: Configure firewall service
include_tasks: "configure_firewall.yml"
when:
- firewall_service != 'undefined'
- configure_firewall != false
- "'full' in group_names"
|
I ran some tests, and it looks good. |
|
Awesome, thanks guys! Glad we could make this happen. |
This is an attempt to improve on #114 striving for simplicity while also maintaining future portability for people who want to add more ports or decrease the current port pool. The changes at a glance are:
Hopefully this is something that will be more useful. Comments appreciated - maybe we can move the init definition of
splunk_firewall_portstogroup_vars/all.ymlbut that's just an aesthetic choice I think.