Feature/inv 41 Firewalld in PF #8055
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fdurand
reviewed
Apr 3, 2024
JeGoi
force-pushed
the
feature/INV-41
branch
2 times, most recently
from
c7e9808 to
64290f6
Compare
fdurand
reviewed
Jun 14, 2024
| port=1822 | ||
| type=tcp | ||
| [radius_auth_clu_port3] | ||
| port=2093 |
| Before=packetfence-haproxy-admin.service | ||
| Before=packetfence-docker-iptables.service | ||
| Requires=packetfence-docker-iptables.service | ||
| PartOf=packetfence-docker-iptables.service |
There was a problem hiding this comment.
Why there is no call to generate the firewalld config ?
There was a problem hiding this comment.
Because it is starting at the installation https://github.com/inverse-inc/packetfence/blob/feature/INV-41/debian/packetfence.postinst#L228, and at this point pfconfig is empty.
There is no config done.
In current Devel, iptables is started at this point at the same point docker-iptables service is a fake one. https://github.com/inverse-inc/packetfence/blob/devel/conf/systemd/packetfence-docker-iptables.service#L9
There was a problem hiding this comment.
In fact that iptables service dependency at boot is using the fact that the service iptables during pf installation will fail.
Thanks to the failure, at the exiit of iptables, new rules are defined.
-- Journal begins at Wed 2024-07-10 11:19:44 UTC, ends at Wed 2024-07-10 11:44:36 UTC. -- [13/1674]
Jul 10 11:29:53 172-234-151-109 systemd[1]: Started PacketFence Iptables configuration.
Jul 10 11:29:55 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:29:56 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:29:57 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:29:58 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:29:59 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:00 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:01 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:02 172-234-151-109 systemd[1]: Stopping PacketFence Iptables configuration...
Jul 10 11:30:02 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:03 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:04 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:05 172-234-151-109 sudo[31331]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -F
Jul 10 11:30:05 172-234-151-109 sudo[31331]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31331]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31334]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -X
Jul 10 11:30:05 172-234-151-109 sudo[31334]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31334]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31337]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -F
Jul 10 11:30:05 172-234-151-109 sudo[31337]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31337]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31340]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -X
Jul 10 11:30:05 172-234-151-109 sudo[31340]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31340]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31343]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t mangle -F
Jul 10 11:30:05 172-234-151-109 sudo[31343]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31343]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31346]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t mangle -X
Jul 10 11:30:05 172-234-151-109 sudo[31346]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31346]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31349]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -P INPUT ACCEPT
Jul 10 11:30:05 172-234-151-109 sudo[31349]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31349]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31352]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -P FORWARD ACCEPT
Jul 10 11:30:05 172-234-151-109 sudo[31352]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31352]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31355]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -P OUTPUT ACCEPT
Jul 10 11:30:05 172-234-151-109 sudo[31355]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31355]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31358]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -N DOCKER
Jul 10 11:30:05 172-234-151-109 sudo[31358]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31358]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31361]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
Jul 10 11:30:05 172-234-151-109 sudo[31361]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31361]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31364]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
Jul 10 11:30:05 172-234-151-109 sudo[31364]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31364]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31367]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -A POSTROUTING -s 100.64.0.0/10 ! -o docker0 -j MASQUERADE
Jul 10 11:30:05 172-234-151-109 sudo[31367]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31367]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31370]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -A DOCKER -i docker0 -j RETURN
Jul 10 11:30:05 172-234-151-109 sudo[31370]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31370]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 systemd[1]: packetfence-iptables.service: Succeeded.
Jul 10 11:30:05 172-234-151-109 systemd[1]: Stopped PacketFence Iptables configuration.
Jul 10 11:30:05 172-234-151-109 systemd[1]: packetfence-iptables.service: Consumed 5.222s CPU time.
So it is tricky, because we are using iptables in order to have the rules defined when it is failing.
There was a problem hiding this comment.
In fact that iptables service dependency at instlation is using the fact that the service iptables during pf installation will fail. The db is not yet defined and there is no connexion.
Thanks to the failure, at the exiit of iptables, new rules are defined.
-- Journal begins at Wed 2024-07-10 11:19:44 UTC, ends at Wed 2024-07-10 11:44:36 UTC. -- [13/1674]
Jul 10 11:29:53 172-234-151-109 systemd[1]: Started PacketFence Iptables configuration.
Jul 10 11:29:55 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:29:56 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:29:57 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:29:58 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:29:59 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:00 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:01 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:02 172-234-151-109 systemd[1]: Stopping PacketFence Iptables configuration...
Jul 10 11:30:02 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:03 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:04 172-234-151-109 packetfence[30662]: -e(30662) ERROR: unable to connect to database: Access denied for user 'pf'@'localhost' (pf::db::db_connect)
Jul 10 11:30:05 172-234-151-109 sudo[31331]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -F
Jul 10 11:30:05 172-234-151-109 sudo[31331]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31331]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31334]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -X
Jul 10 11:30:05 172-234-151-109 sudo[31334]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31334]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31337]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -F
Jul 10 11:30:05 172-234-151-109 sudo[31337]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31337]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31340]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -X
Jul 10 11:30:05 172-234-151-109 sudo[31340]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31340]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31343]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t mangle -F
Jul 10 11:30:05 172-234-151-109 sudo[31343]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31343]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31346]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t mangle -X
Jul 10 11:30:05 172-234-151-109 sudo[31346]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31346]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31349]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -P INPUT ACCEPT
Jul 10 11:30:05 172-234-151-109 sudo[31349]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31349]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31352]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -P FORWARD ACCEPT
Jul 10 11:30:05 172-234-151-109 sudo[31352]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31352]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31355]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -P OUTPUT ACCEPT
Jul 10 11:30:05 172-234-151-109 sudo[31355]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31355]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31358]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -N DOCKER
Jul 10 11:30:05 172-234-151-109 sudo[31358]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31358]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31361]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
Jul 10 11:30:05 172-234-151-109 sudo[31361]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31361]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31364]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
Jul 10 11:30:05 172-234-151-109 sudo[31364]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31364]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31367]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -A POSTROUTING -s 100.64.0.0/10 ! -o docker0 -j MASQUERADE
Jul 10 11:30:05 172-234-151-109 sudo[31367]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31367]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 sudo[31370]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -t nat -A DOCKER -i docker0 -j RETURN
Jul 10 11:30:05 172-234-151-109 sudo[31370]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jul 10 11:30:05 172-234-151-109 sudo[31370]: pam_unix(sudo:session): session closed for user root
Jul 10 11:30:05 172-234-151-109 systemd[1]: packetfence-iptables.service: Succeeded.
Jul 10 11:30:05 172-234-151-109 systemd[1]: Stopped PacketFence Iptables configuration.
Jul 10 11:30:05 172-234-151-109 systemd[1]: packetfence-iptables.service: Consumed 5.222s CPU time.
So it is tricky, because we are using iptables in order to have the rules defined when it is failing.
|
Needs dedicated log file |
JeGoi
force-pushed
the
feature/INV-41
branch
2 times, most recently
from
9e76f84 to
aeb44f5
Compare
|
These services have a systemd service related to firewalld but no rules related: |
JeGoi
force-pushed
the
feature/INV-41
branch
2 times, most recently
from
4fdf5ba to
620b0dc
Compare
JeGoi
force-pushed
the
feature/INV-41
branch
from
66d88dc to
d8743b9
Compare
…eady zones defined there
…uld not be overwritten
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Move from iptables to firewalld
Make things more dynamic to update the firewall rules.
Impacts
Get out of iptables
Code / PR Dependencies
feature/INV-41 on figerbank-collector
Delete branch after merge
YES
Checklist
NEWS file entries
New Features