Re: [Puppet Users] puppet firewall module and more esoteric rules

2015-07-07 Thread Hunter Haugen 
Filed as a bug: https://tickets.puppetlabs.com/browse/MODULES-2197

On Fri, Jul 3, 2015 at 1:14 AM Tom Boland t...@t0mb.net wrote:

 Hi all,

 I've been looking at using the puppet firewall module to define the
 rules on a load balancer/proxy I'm working on.  Unfortunately, I don't
 think it's going to work, unless there's a workaround for the issue I've
 just found.

 I'm looking at implementing the SYNPROXY guidelines in this RedHat article:


 http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/

 I've attempted to implement a rule in iptables, and then use puppet
 resource to reverse engineer it in to puppet, and this is the result:

 $ iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80
 -j CT --notrack
 $ puppet resource firewall
 firewall { '9001 7b01864cb3bb80b99a31bd1e24ec43e9':
ensure = 'present',
chain  = '80',
checksum_fill  = 'false',
clamp_mss_to_pmtu  = 'false',
dport  = ['CT'],
iniface= '--tcp-flags',
isfragment = 'false',
jump   = '--notrack',
kernel_timezone= 'false',
physdev_is_bridged = 'false',
proto  = 'FIN,SYN,RST,ACK SYN',
random = 'false',
rdest  = 'false',
reap   = 'false',
rsource= 'false',
rttl   = 'false',
socket = 'false',
table  = 'raw',
time_contiguous= 'false',
 }

 As you may see, the parameters are a bit jumbled.  The chain has the
 value for the port, and the dport has the value for the jump, the
 protocol has various TCP packet types rather than just 'tcp' etc etc.

 Would anyone be able to suggest a way around this?

 For the moment I'll look in to stopping the module purging existing
 rules and manage my SYNPROXY stuff outside of puppet.

 Many thanks.  Tom.

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/5596445F.406%40t0mb.net.
 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAJaQvGDMhUQCNTAtZbcpvLkyj--HxeZMGjWBC%2BeXuuAPmiXp-g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet firewall module and more esoteric rules

2015-07-03 Thread Tom Boland 

Hi all,

I've been looking at using the puppet firewall module to define the 
rules on a load balancer/proxy I'm working on.  Unfortunately, I don't 
think it's going to work, unless there's a workaround for the issue I've 
just found.


I'm looking at implementing the SYNPROXY guidelines in this RedHat article:

http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/

I've attempted to implement a rule in iptables, and then use puppet 
resource to reverse engineer it in to puppet, and this is the result:


$ iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80 
-j CT --notrack

$ puppet resource firewall
firewall { '9001 7b01864cb3bb80b99a31bd1e24ec43e9':
  ensure = 'present',
  chain  = '80',
  checksum_fill  = 'false',
  clamp_mss_to_pmtu  = 'false',
  dport  = ['CT'],
  iniface= '--tcp-flags',
  isfragment = 'false',
  jump   = '--notrack',
  kernel_timezone= 'false',
  physdev_is_bridged = 'false',
  proto  = 'FIN,SYN,RST,ACK SYN',
  random = 'false',
  rdest  = 'false',
  reap   = 'false',
  rsource= 'false',
  rttl   = 'false',
  socket = 'false',
  table  = 'raw',
  time_contiguous= 'false',
}

As you may see, the parameters are a bit jumbled.  The chain has the 
value for the port, and the dport has the value for the jump, the 
protocol has various TCP packet types rather than just 'tcp' etc etc.


Would anyone be able to suggest a way around this?

For the moment I'll look in to stopping the module purging existing 
rules and manage my SYNPROXY stuff outside of puppet.


Many thanks.  Tom.

--
You received this message because you are subscribed to the Google Groups Puppet 
Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5596445F.406%40t0mb.net.
For more options, visit https://groups.google.com/d/optout.