Configure the firewall type
To help protect your infrastructure, SCE enforces a firewall solution, firewalld, by default on Red Hat Enterprise Linux (RHEL)-based distributions. firewalld is zone-based software that is designed to monitor traffic and take appropriate action. To change the firewall type or specify that SCE does not manage a firewall, you can update the firewall configuration.
nftables
framework are not supported. Use the firewalld or
iptables setting instead.Default setting for RHEL-based distributions
The default setting is
firewalld:
sce_linux::benchmark: 'cis'
sce_linux::config:
profile: 'server'
level: '1'
firewall_type: 'firewalld'Example: Using the iptables utility
You can also specify a value of
iptables:
sce_linux::benchmark: 'cis'
sce_linux::config:
profile: 'server'
level: '1'
firewall_type: 'iptables'Example: Using the unmanaged setting
You can also specify a value of unmanaged. If you specify
unmanaged, SCE does not
enforce a state on any firewall
resource:
sce_linux::benchmark: 'cis'
sce_linux::config:
profile: 'server'
level: '1'
firewall_type: 'unmanaged'Example: Custom configuration of firewalld using control_configs options on RHEL-based distributions
You can also specify a custom configuration by using control_configs options. The following example, based on a RHEL 9 environment, creates and activates two firewall zones:
-
In the public zone, HTTP, HTTPS, NTP, and SSH services are enabled.
-
In the custom_zone, HTTP_CUSTOM_ZONE is enabled.
In addition, Transmission Control Protocol (TCP) ports 8142 and 8140 are opened to facilitate communication with the Puppet agent.
sce_linux::benchmark: 'cis'
sce_linux::config:
level: "1"
profile: "server"
control_configs:
"Ensure a single firewall configuration utility is in use":
ensure_package: "installed"
ensure_iptables_package: "installed"
merge_defaults: true
purge_iptables_services: true
purge_nftables: true
default_zone: "public"
ports:
'Open Puppet port 8142':
ensure: present
zone: public
port: 8142
protocol: 'tcp'
'Open Puppet port 8140':
ensure: present
zone: public
port: 8140
protocol: 'tcp'
zones:
public:
ensure: present
target: '%%REJECT%%'
purge_services: true
custom_zone:
ensure: present
target: '%%REJECT%%'
services:
'HTTP_CUSTOM_ZONE':
ensure: 'present'
service: 'http'
zone: 'custom_zone'
'HTTP':
ensure: 'present'
service: 'http'
zone: 'public'
'HTTPS':
ensure: 'present'
service: 'https'
zone: 'public'
'NTP':
ensure: 'present'
service: 'ntp'
zone: 'public'
'SSH':
ensure: 'present'
service: 'ssh'
zone: 'public'Example: Custom configuration of ufw
You can specify a custom configuration based on the Uncomplicated Firewall (ufw) framework, which is built into Debian-based distributions such as Ubuntu Linux.
In the following example, port 23 is opened for connections that use the Telnet internet protocol. Port 21 is closed for File Transfer Protocol (FTP) connections.
For the action parameter, a value of allow or deny can be specified. For the direction parameter, the value must be in or out. The proto parameter can specify any system-supported protocol.
sce_linux::utils::firewall::ufw::manage_ufw: true
sce_linux::utils::firewall::ufw::manage_ufw_service: true
sce_linux::utils::firewall::ufw::enable_ufw_service: true
sce_linux::utils::firewall::ufw::ensure_ufw_default_deny_firewall_policy: true
sce_linux::utils::firewall::ufw::custom_rules:
- name: 'telnet'
ensure: 'present'
action: 'allow'
direction: 'in'
local_addr: '0.0.0.0/0'
remote_addr: '0.0.0.0/0'
proto: 'tcp'
local_port: '23'
- name: 'ftp'
ensure: 'present'
action: 'deny'
direction: 'in'
local_addr: '0.0.0.0/0'
remote_addr: '0.0.0.0/0'
proto: 'tcp'
local_port: '21'