`elkstack::acl` doesn't seem to work on ubuntu 14.04

Question

`elkstack::acl` doesn't seem to work on ubuntu 14.04

patcon opened this issue 9 years ago · 6 comments

The rules get enabled, but this is the output:

patcon@elkstack-server-test:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 5959 /* allow syslog entries inbound */
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 5960 /* allow lumberjack entries inbound */
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 5961 /* allow tcp entries inbound */
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports https /* allow nginx SSL entries inbound */
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports http /* allow nginx entries inbound */
ACCEPT     udp  --  anywhere             anywhere             multiport dports 5962 /* allow udp entries inbound */
ACCEPT     all  --  anywhere             anywhere             /* allow services on loopback to talk to any interface */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Presumably, the policy should be to drop, from what I gather.

Also, as noted here, it's not intuitive how to extend on those firewall rules.

Thanks!

Answer 1 · 2015-08-17T10:10:37.000Z

@patcon Hello! The goal of the acl recipe is to open firewall rules required for elkstack, but not necessarily to enforce a default drop rule. If you don't have a default drop rule already, you don't need to run the acl recipe. Does that make sense?

Since the firewall cookbook currently applies the rules in the order they appear in the resource collection, a default-drop recipe would be something you'd declare last, so it's at the end of the runlist (and the final firewall_rule resource in the resource collection).

Answer 2 · 2015-08-18T18:08:59.000Z

I do appreciate that explanation, but is it the intention that every firewall rule must be added after this recipe? It would strike me as sensible to have rules for ssh etc in a base recipe/role which tends to run first, but in my experience here, those have no effect. Or perhaps they require some odd wrangling which I haven't figure out yet :)

Adding all firewall rules after elkstack::acl is a workable solution, but I would suggest it's not obvious. I assumed I was doing something wrong!

Answer 3 · 2015-08-18T18:11:57.000Z

Also, even the code of firewall provider suggests that a default drop policy should occur when enabled:
https://github.com/opscode-cookbooks/firewall/blob/master/libraries/provider_firewall_iptables.rb#L40-L53

Am I misunderstanding?

Answer 4 · 2015-09-14T20:42:22.000Z

Hi @patcon -- the firewall cookbook has been updated to allow firewall_rule resources to be declared in any order, in #83 and #84. I've confirmed that's what is happening now on elkstack as well. I'm going to do an update to be pin elkstack up to at least the latest firewall cookbook, and then I'll go ahead and close this.

Answer 5 · 2015-09-14T21:28:45.000Z

As always, thanks Martin! I'll definitely revisit at some point soon

Answer 6 · 2016-03-07T18:13:48.000Z

I think this one is resolved now 👍