The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Feature #10025

puppetlabs-firewall: TCP flags matching support

Added by Andre Nathan over 2 years ago. Updated almost 2 years ago.

Status:Merged - Pending ReleaseStart date:10/11/2011
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:firewallSpent time:-
Target version:firewall 1.0.0
Keywords: Branch:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

The puppetlabs-firewall firewall module doesn’t support the --tcp-flags argument to iptables. This is useful to allow blocking of certain attacks (e.g. http://www.frozentux.net/iptables-tutorial/chunkyhtml/x6287.html).

History

#1 Updated by Ken Barber over 2 years ago

  • Category set to firewall
  • Status changed from Unreviewed to Accepted

#2 Updated by Jeff Ollie over 2 years ago

Has anyone had some time to code up a solution? I could really use this to puppetize the ip6tables settings on my CentOS 5 boxes. Stateful filtering doesn’t work with IPv6 on CentOS 5 so the default rules use the tcp flags settings to mimic stateful filtering.

#3 Updated by Thomas Vander Stichele about 2 years ago

Jeff Ollie wrote:

Has anyone had some time to code up a solution? I could really use this to puppetize the ip6tables settings on my CentOS 5 boxes. Stateful filtering doesn’t work with IPv6 on CentOS 5 so the default rules use the tcp flags settings to mimic stateful filtering.

I had to implement this to support port knocking. Feel free to give it a try: https://github.com/thomasvs/puppetlabs-firewall/tree/ticket/10025-TCP-flags-matching-support

#4 Updated by Thomas Vander Stichele almost 2 years ago

Jeff, did you manage to try this?

#5 Updated by Jeff Ollie almost 2 years ago

Thomas Vander Stichele wrote:

Jeff, did you manage to try this?

I stopped using puppet (for other reasons) so I never got a chance to try it.

#6 Updated by Ken Barber almost 2 years ago

  • Status changed from Accepted to Merged - Pending Release
  • Target version set to firewall 1.0.0

Also available in: Atom PDF