The Puppet Enterprise firewall quick start guide provides instructions for getting started managing firewall rules with PE.
With a firewall, admins define a set of policies (firewall rules) that usually consist of things like application ports (TCP/UDP), node interfaces (which network port), IP addresses, and an accept/deny statement. These rules are applied from a “top-to-bottom” approach. For example, when a service, such as SSH, attempts to access resources on the other side of a firewall, the firewall applies a list of rules to determine if or how SSH communications are handled. If a rule allowing SSH access can’t be found, the firewall denies access to that SSH attempt.
To best manage firewall rules with PE, separate these rules into pre and post groups.
In this exercise, you will:
my_firewall class to your agent nodes.my_firewall class.Before you begin, you must have installed PE. Refer to the installation overview and the agent installation instructions for complete instructions. See the supported operating system documentation for supported platforms. This guide assumes you are not using Code Manager or r10k.
Tip: Follow the instructions in the NTP quick start guide to have PE ensure time is in sync across your deployment.
puppet-firewall moduleInstall the firewall module, which manages and configures firewall rules with the Puppet DSL. You can learn more about the module by visiting http://forge.puppetlabs.com/puppetlabs/firewall.
From the PE master, run puppet module install puppetlabs-firewall.
You should see output similar to the following:
Preparing to install into /etc/puppetlabs/puppet/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppetlabs.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/puppet/environments/production/modules
└── puppetlabs-firewall (v1.6.0)
That’s it! You’ve just installed the firewall module. You’ll need to wait a short time for the Puppet server to refresh before the classes are available to add to your agent nodes.
my_firewall moduleIn this step, you’ll write a simple module to define and help manage your firewall rules. This module contains just three classes.
Modules are directory trees. For this task, you’ll create the following files:
my_firewall/ (the module name)
manifests/
pre.pppost.ppinit.ppAbout module directories
By default, Puppet keeps modules in
/etc/puppetlabs/code/environments/production/modules. This includes modules that you download from the Forge and those you write yourself.PE also creates two other module directories:
/opt/puppetlabs/puppet/modulesand/etc/puppetlabs/staging-code/modules. For this guide, don’t modify or add anything to either of these directories.There are plenty of resources about modules and the creation of modules that you can reference. Check out Puppet: Module fundamentals, Puppet: The modulepath, the Beginner’s guide to modules, and the Puppet Forge.
cd /etc/puppetlabs/code/environments/production/modules).mkdir -p my_fw/manifests to create the new module directory and its manifests directory.manifests directory, use your text editor to create pre.pp.Edit pre.pp so it contains the following Puppet code:
class my_firewall::pre {
# Default firewall rules
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
firewall { '002 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
# Allow SSH
firewall { '100 allow ssh access':
port => '22',
proto => tcp,
action => accept,
}
}
manifests directory, use your text editor to create post.pp.Edit post.pp so it contains the following Puppet code:
class my_firewall::post {
firewall { "999 drop all other requests":
action => "drop",
}
}
manifests directory, use your text editor to create init.pp.Edit init.pp so it contains the following Puppet code:
class my_firewall {
stage { 'fw_pre': before => Stage['main']; }
stage { 'fw_post': require => Stage['main']; }
class { 'my_fw::pre':
stage => 'fw_pre',
}
class { 'my_fw::post':
stage => 'fw_post',
}
resources { "firewall":
purge => true
}
}
That’s it! You’ve written a module that contains a class that, once applied, ensures your firewall has rules that will be managed by PE. You’ll need to wait a short time for the Puppet server to refresh before the classes are available to add to your agent nodes.
Note the following about your new class:
pre.ppdefines the “pre” group rules that the firewall applies when a service requests access.post.ppdefines the rule for the firewall to drop any requests that haven’t met the rules defined bypre.pp.init.ppapplies the previous two classes, as well as telling Puppet when to apply the classes in relation to themainstage (which ensures the classes are applied in the correct order).
In this procedure, you’ll create a simple group called firewall_example, which will contain all of your nodes. Depending on your needs or infrastructure, you may have a different group that you’ll assign your firewall class to.
Groups let you assign classes and variables to many nodes at once. Nodes can belong to many groups and inherit classes and variables from all of them. Groups can also be members of other groups and inherit configuration information from their parent group the same way nodes do. PE automatically creates several groups in the console, which you can read more about in the PE docs.
On the Rules tab, in the Node name field, enter the name of the PE-managed node you want to add to this group, and click Pin node.
Repeat this step for any additional nodes you want to add.
Warning: Do not add the Puppet master to this group. Your firewall class does not yet contain rules to allow access to the Puppet master. You will add these rules later when you write a class to open ports for the Puppet master.
my_firewall class to agent nodesNext, you’ll add the class from your module to the node group you just created.
In the console, click Nodes > Classification, and find and select the firewall_example group.
On the Classes tab, in the Class name field, select my_firewall.
Tip: You only need to add the main my_firewall class. It contains the other classes from the module.
Click Add class, and commit changes.
The my_firewall class now appears in the list of classes for the firewall_example group.
When Puppet runs, it configures the nodes using the newly-assigned classes. Wait one or two minutes.
Congratulations! You’ve just created a firewall class that you can use to define and enforce firewall rules across your PE-managed infrastructure.
The Puppet master is just like any other application you run from your infrastructure: you need to allow special firewall access to ensure you can access the Puppet master correctly. You’ll create another simple module to open the ports for the Puppet master.
cd /etc/puppetlabs/code/environments/production/modules.mkdir -p my_master/manifests to create the new module directory and its manifests directory.manifests directory, use your text editor to create init.pp.Edit init.pp so it contains the following Puppet code:
class my_master {
include my_firewall
firewall { '100 allow PE Console access':
port => '443',
proto => tcp,
action => accept,
}
firewall { '100 allow Puppet master access':
port => '8140',
proto => tcp,
action => accept,
}
firewall { '100 allow ActiveMQ MCollective access':
port => '61613',
proto => tcp,
action => accept,
}
}
my_master class to the Puppet master.Click the Events tab.
You will see three events on this node, indicating that your firewall now allows access to MCollective, the PE console, and the Puppet master.
Tip: For all firewall configuration needs for your PE installation, refer to the system configuration documentation.
my_firewall classFinally, let’s take a look at how PE ensures the desired state of the my_firewall class on your agent nodes. In the previous task, you applied the class. Now imagine a scenario where a member of your team changes the contents of the iptables to allow connections on a random port that was not specified in my_firewall.
my_firewall class, run iptables --list.my_firewall class have been applied.iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8449 -j ACCEPT.iptables --list again and note this new rule is now listed.iptables --list on that node once more, and notice that PE has enforced the desired state you specified for the firewall rules.That’s it — PE has enforced the desired state of your agent node.
The Puppet firewall module (puppetlabs-firewall), is part of the PE supported modules program; these modules are supported, tested, and maintained by Puppet. You can learn more about the Puppet firewall module by visiting the Puppet Forge.
Check out the other quick start guides in our PE QSG series:
Puppet offers many opportunities for learning and training, from formal certification courses to guided online lessons. We’ve noted a few below; head over to the learning Puppet page to discover more.