From fa1cee29aceee6a0c0eb61e09312cb25073dba71 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Thu, 25 Apr 2019 16:14:10 -0400 Subject: [PATCH 01/13] feat(chain) add variable to specify chain --- manifests/agent.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manifests/agent.pp b/manifests/agent.pp index ca3ea93e5..b9045e1bd 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -192,6 +192,9 @@ # [*manage_startup_script*] # If the init script should be managed by this module. Attention: This might cause problems with some config options of this module (e.g agent_configfile_path) # +# [*firewallchain*] +# Specify the name of the firewall chain to add the rules to. +# # === Example # # Basic installation: @@ -282,6 +285,7 @@ String $additional_service_params = $zabbix::params::additional_service_params, String $service_type = $zabbix::params::service_type, Boolean $manage_startup_script = $zabbix::params::manage_startup_script, + Optional[String] $firewallchain = $zabbix::params::firewallchain ) inherits zabbix::params { # the following two codeblocks are a bit blargh. The correct default value for @@ -440,6 +444,7 @@ proto => 'tcp', action => 'accept', source => $server, + chain => $firewallchain, state => [ 'NEW', 'RELATED', From 12d069864919ea0e4f5b04973e3fa9ee61db3e81 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Thu, 25 Apr 2019 16:23:02 -0400 Subject: [PATCH 02/13] feat(firewallchain) add undef default --- manifests/params.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/params.pp b/manifests/params.pp index a145040c4..8b40155f7 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -107,6 +107,7 @@ $manage_startup_script = true $default_vhost = false $manage_firewall = false + $firewallchain = undef $manage_apt = true $repo_location = '' $manage_resources = false From 00bb11f5aefe5ef47a45d30005e178efc107af6b Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Thu, 25 Apr 2019 16:25:24 -0400 Subject: [PATCH 03/13] feat(chain) add chain entry --- manifests/server.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manifests/server.pp b/manifests/server.pp index f38ada5ff..367430e10 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -261,6 +261,9 @@ # [*manage_startup_script*] # If the init script should be managed by this module. Attention: This might cause problems with some config options of this module (e.g server_configfile_path) # +# [*firewallchain*] +# Specify the name of the firewall chain to add the rules to. +# # === Example # # When running everything on a single node, please check @@ -382,6 +385,7 @@ String $additional_service_params = $zabbix::params::additional_service_params, Optional[String[1]] $zabbix_user = $zabbix::params::server_zabbix_user, Boolean $manage_startup_script = $zabbix::params::manage_startup_script, + Optional[String] = $zabbix::params::firewallchain, ) inherits zabbix::params { # the following codeblock is a bit blargh. The correct default value for @@ -554,6 +558,7 @@ dport => $listenport, proto => 'tcp', action => 'accept', + chain => $firewallchain, state => [ 'NEW', 'RELATED', From b062929d8541eea18621257fa8d3ec16cda33fa5 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Thu, 25 Apr 2019 16:37:19 -0400 Subject: [PATCH 04/13] add firewallchain --- manifests/proxy.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manifests/proxy.pp b/manifests/proxy.pp index 6b9a38bb9..c93654d7a 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -264,6 +264,9 @@ # [*loadmodule*] # Module to load at server startup. # +# [*firewallchain*] +# Specify the name of the firewall chain to add the rules to. +# # === Example # # When you want to run everything on one machine, you can use the following @@ -423,6 +426,7 @@ $loadmodulepath = $zabbix::params::proxy_loadmodulepath, $loadmodule = $zabbix::params::proxy_loadmodule, Boolean $manage_selinux = $zabbix::params::manage_selinux, + Optional[String] $firewallchain = $zabbix::params::firewallchain, ) inherits zabbix::params { # check osfamily, Arch is currently not supported for web @@ -614,6 +618,7 @@ firewall { '151 zabbix-proxy': dport => $listenport, proto => 'tcp', + chain => $firewallchain, action => 'accept', state => [ 'NEW', From aea46607289dcef9f812a8a490b7e8712e852285 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Thu, 25 Apr 2019 16:38:57 -0400 Subject: [PATCH 05/13] add firewallchain --- manifests/javagateway.pp | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/manifests/javagateway.pp b/manifests/javagateway.pp index 47195c0e7..e5c12e3db 100644 --- a/manifests/javagateway.pp +++ b/manifests/javagateway.pp @@ -36,6 +36,9 @@ # [*timeout*] # Number of worker threads to start. # +# [*firewallchain*] +# Specify the name of the firewall chain to add the rules to. +# # === Example # # class { 'zabbix::javagateway': @@ -51,15 +54,16 @@ # Copyright 2014 Werner Dijkerman # class zabbix::javagateway( - $zabbix_version = $zabbix::params::zabbix_version, - $zabbix_package_state = $zabbix::params::zabbix_package_state, - Boolean $manage_firewall = $zabbix::params::manage_firewall, - Boolean $manage_repo = $zabbix::params::manage_repo, - $pidfile = $zabbix::params::javagateway_pidfile, - $listenip = $zabbix::params::javagateway_listenip, - $listenport = $zabbix::params::javagateway_listenport, - $startpollers = $zabbix::params::javagateway_startpollers, - $timeout = $zabbix::params::javagateway_timeout, + $zabbix_version = $zabbix::params::zabbix_version, + $zabbix_package_state = $zabbix::params::zabbix_package_state, + Boolean $manage_firewall = $zabbix::params::manage_firewall, + Boolean $manage_repo = $zabbix::params::manage_repo, + $pidfile = $zabbix::params::javagateway_pidfile, + $listenip = $zabbix::params::javagateway_listenip, + $listenport = $zabbix::params::javagateway_listenport, + $startpollers = $zabbix::params::javagateway_startpollers, + $timeout = $zabbix::params::javagateway_timeout, + Optional[String] $firewallchain = $zabbix::params::firewallchain, ) inherits zabbix::params { # Only include the repo class if it has not yet been included @@ -106,6 +110,7 @@ firewall { '152 zabbix-javagateway': dport => $listenport, proto => 'tcp', + chain => $firewallchain, action => 'accept', state => ['NEW','RELATED', 'ESTABLISHED'], } From 9dc69a4dbe62f6c69e7ed47b38f9397079334317 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Thu, 25 Apr 2019 17:56:07 -0400 Subject: [PATCH 06/13] feat(firewall) --- manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index daf6960fe..62cf75ba6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -179,6 +179,7 @@ String $additional_service_params = $zabbix::params::additional_service_params, Optional[String[1]] $zabbix_user = $zabbix::params::server_zabbix_user, Optional[String] $zabbix_server_name = $zabbix::params::zabbix_server, + Optional[String] $firewallchain = $zabbix::params::firewallchain, ) inherits zabbix::params { class { '::zabbix::web': @@ -300,6 +301,7 @@ loadmodule => $loadmodule, manage_selinux => $manage_selinux, additional_service_params => $additional_service_params, + firewallchain => $firewallchain, require => Class['zabbix::database'], } From f4e2ff2098d75dc05641c053ec41aa05e124941f Mon Sep 17 00:00:00 2001 From: za267 Date: Mon, 26 Aug 2019 10:11:02 -0400 Subject: [PATCH 07/13] Fix (firewallchain) Syntax error, missing var name declaration. --- manifests/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index 367430e10..165780ff8 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -385,7 +385,7 @@ String $additional_service_params = $zabbix::params::additional_service_params, Optional[String[1]] $zabbix_user = $zabbix::params::server_zabbix_user, Boolean $manage_startup_script = $zabbix::params::manage_startup_script, - Optional[String] = $zabbix::params::firewallchain, + Optional[String] $firewallchain = $zabbix::params::firewallchain, ) inherits zabbix::params { # the following codeblock is a bit blargh. The correct default value for From a48d4ab3e783849ba3ed13933ba4c1568280b745 Mon Sep 17 00:00:00 2001 From: Xavier Lashmar Date: Mon, 26 Aug 2019 10:11:02 -0400 Subject: [PATCH 08/13] Fix (firewallchain) Syntax error, missing var name declaration. --- manifests/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index 367430e10..165780ff8 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -385,7 +385,7 @@ String $additional_service_params = $zabbix::params::additional_service_params, Optional[String[1]] $zabbix_user = $zabbix::params::server_zabbix_user, Boolean $manage_startup_script = $zabbix::params::manage_startup_script, - Optional[String] = $zabbix::params::firewallchain, + Optional[String] $firewallchain = $zabbix::params::firewallchain, ) inherits zabbix::params { # the following codeblock is a bit blargh. The correct default value for From acfdfae8bfc760e0b62e2e1b81580bfe989047b5 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Thu, 21 Sep 2023 14:07:13 -0400 Subject: [PATCH 09/13] refactor(firewall): update chain Set for agent only right now --- manifests/init.pp | 1 - manifests/javagateway.pp | 1 - manifests/params.pp | 3 ++- manifests/proxy.pp | 1 - manifests/server.pp | 1 - 5 files changed, 2 insertions(+), 5 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 81973a285..2cbd3a86e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -486,7 +486,6 @@ loadmodule => $loadmodule, manage_selinux => $manage_selinux, additional_service_params => $additional_service_params, - firewallchain => $firewallchain, require => Class['zabbix::database'], } diff --git a/manifests/javagateway.pp b/manifests/javagateway.pp index 3e7c93a86..b88b9a86b 100644 --- a/manifests/javagateway.pp +++ b/manifests/javagateway.pp @@ -68,7 +68,6 @@ firewall { '152 zabbix-javagateway': dport => $listenport, proto => 'tcp', - chain => $firewallchain, action => 'accept', state => ['NEW','RELATED', 'ESTABLISHED'], } diff --git a/manifests/params.pp b/manifests/params.pp index bfae91e67..6fae655b7 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -150,7 +150,8 @@ $manage_service = true $default_vhost = false $manage_firewall = false - $firewallchain = undef + $use_firewall_chain = false + $firewall_priority = 150 $manage_apt = true $repo_location = undef $unsupported_repo_location = undef diff --git a/manifests/proxy.pp b/manifests/proxy.pp index 057cb1928..741dbf8e6 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -521,7 +521,6 @@ firewall { '151 zabbix-proxy': dport => $listenport, proto => 'tcp', - chain => $firewallchain, action => 'accept', state => [ 'NEW', diff --git a/manifests/server.pp b/manifests/server.pp index 0ef5d1f54..41d8f73b0 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -463,7 +463,6 @@ dport => $listenport, proto => 'tcp', action => 'accept', - chain => $firewallchain, state => [ 'NEW', 'RELATED', From 435b96d7571da20492bf90a8be1082fc9d3444f5 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Fri, 22 Sep 2023 09:52:22 -0400 Subject: [PATCH 10/13] refactor(chain): set default to input --- manifests/agent.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 6ef4a0abf..843f5963b 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -400,6 +400,10 @@ jump => 'ZABBIX-AGENT', } } + $chain = $use_firewall_chain ? { + true => 'ZABBIX-AGENT', + default => 'INPUT' + } $servers = split($server, ',') $servers.each |$_server| { firewall { "${firewall_priority} zabbix-agent from ${_server}": @@ -407,12 +411,12 @@ proto => 'tcp', action => 'accept', source => $_server, + chain => $chain state => [ 'NEW', 'RELATED', 'ESTABLISHED', ], - chain => $use_firewall_chain ? 'ZABBIX-AGENT:filter:IPv4' : undef, } } } From 4ac7e3d2be9e9f443f0cbf8cb6c2187ea19c7e2c Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Fri, 22 Sep 2023 09:53:19 -0400 Subject: [PATCH 11/13] fix(typo) --- manifests/agent.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 843f5963b..e3a8aecb3 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -411,7 +411,7 @@ proto => 'tcp', action => 'accept', source => $_server, - chain => $chain + chain => $chain, state => [ 'NEW', 'RELATED', From 2de237312b8d9f1b89fdc4b2b30855f96b90afa6 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Thu, 5 Oct 2023 15:10:35 -0400 Subject: [PATCH 12/13] fix(firewall): use jump instead of action --- manifests/agent.pp | 2 +- manifests/javagateway.pp | 2 +- manifests/proxy.pp | 2 +- manifests/server.pp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index e3a8aecb3..47611ccc8 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -409,7 +409,7 @@ firewall { "${firewall_priority} zabbix-agent from ${_server}": dport => $listenport, proto => 'tcp', - action => 'accept', + jump => 'accept', source => $_server, chain => $chain, state => [ diff --git a/manifests/javagateway.pp b/manifests/javagateway.pp index b88b9a86b..ec10e7ff1 100644 --- a/manifests/javagateway.pp +++ b/manifests/javagateway.pp @@ -68,7 +68,7 @@ firewall { '152 zabbix-javagateway': dport => $listenport, proto => 'tcp', - action => 'accept', + jump => 'accept', state => ['NEW','RELATED', 'ESTABLISHED'], } } diff --git a/manifests/proxy.pp b/manifests/proxy.pp index 741dbf8e6..44ee73ab8 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -521,7 +521,7 @@ firewall { '151 zabbix-proxy': dport => $listenport, proto => 'tcp', - action => 'accept', + jump => 'accept', state => [ 'NEW', 'RELATED', diff --git a/manifests/server.pp b/manifests/server.pp index 41d8f73b0..7dd2ea793 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -462,7 +462,7 @@ firewall { '151 zabbix-server': dport => $listenport, proto => 'tcp', - action => 'accept', + jump => 'accept', state => [ 'NEW', 'RELATED', From dd82d5a665c60fb661ec04661183ba6999f42e11 Mon Sep 17 00:00:00 2001 From: Mathew Winstone Date: Tue, 24 Oct 2023 14:26:52 -0400 Subject: [PATCH 13/13] fix(firewall): rename chain Avoid -A in chain See https://github.com/puppetlabs/puppetlabs-firewall/issues/1170 --- manifests/agent.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 47611ccc8..432334dd2 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -391,17 +391,17 @@ # Manage firewall if $manage_firewall { if $use_firewall_chain { - firewallchain { 'ZABBIX-AGENT:filter:IPv4': + firewallchain { 'ZABBIX_AGENT:filter:IPv4': ensure => present, purge => true, } firewall { "${firewall_priority} zabbix-agent": chain => 'INPUT', - jump => 'ZABBIX-AGENT', + jump => 'ZABBIX_AGENT', } } $chain = $use_firewall_chain ? { - true => 'ZABBIX-AGENT', + true => 'ZABBIX_AGENT', default => 'INPUT' } $servers = split($server, ',')