Configure the firewall type

To help protect your infrastructure, SCE enforces a firewall solution, firewalld, by default on Red Hat Enterprise Linux (RHEL)-based distributions. firewalld is zone-based software that is designed to monitor traffic and take appropriate action. To change the firewall type or specify that SCE does not manage a firewall, you can update the firewall configuration.

Firewalls that are based on the nftables framework are not supported. Use the firewalld or iptables setting instead.

Default setting for RHEL-based distributions

The default setting is firewalld:

Copy 
sce_linux::benchmark: 'cis'
sce_linux::config:
  profile: 'server'
  level: '1'
  firewall_type: 'firewalld'

Example: Using the iptables utility

You can also specify a value of iptables:

Copy 
sce_linux::benchmark: 'cis'
sce_linux::config:
  profile: 'server'
  level: '1'
  firewall_type: 'iptables'

Example: Using the unmanaged setting

You can also specify a value of unmanaged. If you specify unmanaged, SCE does not enforce a state on any firewall resource:

Copy 
sce_linux::benchmark: 'cis'
sce_linux::config:
  profile: 'server'
  level: '1'
  firewall_type: 'unmanaged'

Example: Custom configuration

You can also specify a custom configuration. The following example, based on a RHEL 9 environment, creates and activates two firewall zones:

  • In the public zone, HTTP, HTTPS, NTP, and SSH services are enabled.

  • In the custom_zone, HTTP_CUSTOM_ZONE is enabled.

In addition, Transmission Control Protocol (TCP) ports 8142 and 8140 are opened to facilitate communication with the Puppet agent.

Copy 
sce_linux::benchmark: 'cis'
sce_linux::config:
  level: "1"
  profile: "server"
  control_configs:
    "Ensure a single firewall configuration utility is in use":
      ensure_package: "installed"
      ensure_iptables_package: "installed"
      merge_defaults: true
      purge_iptables_services: true
      purge_nftables: true
      default_zone: "public"
      ports:
        'Open Puppet port 8142':
          ensure: present
          zone: public
          port: 8142
          protocol: 'tcp'
        'Open Puppet port 8140':
          ensure: present
          zone: public
          port: 8140
          protocol: 'tcp'
      zones:
        public:
          ensure: present
          target: '%%REJECT%%'
          purge_services: true
        custom_zone:
          ensure: present
          target: '%%REJECT%%'
      services:
        'HTTP_CUSTOM_ZONE':
          ensure: 'present'
          service: 'http'
          zone: 'custom_zone'
        'HTTP':
          ensure: 'present'
          service: 'http'
          zone: 'public'
        'HTTPS':
          ensure: 'present'
          service: 'https'
          zone: 'public'
        'NTP':
          ensure: 'present'
          service: 'ntp'
          zone: 'public'
        'SSH':
          ensure: 'present'
          service: 'ssh'
          zone: 'public'