Puppet Setup Firewall Rules

Question:  The Nautilus DevOps team was auditing some of the applications running on all app servers in Stratos Datacenter. They found some security loopholes-for example, they observed that there is no firewall installed on these apps. So, the team has decided to install firewalld on all App Servers. Some rules need to be added. This task needs to be done using Puppet; please complete the task per the following details:

Create an inventory file code.pp under /etc/puppetlabs/code/environments/production/manifests directory on Puppet master node i.e on Jump Server. In this inventory file you need to define node specific classes only which are mentioned below.

Define a class firewall_node1 for agent node 1 i.e App Server 1, firewall_node2 for agent node 2 i.e App Server 2, firewall_node3 and for agent node3 i.e App Server 3.

Also create a Puppet programming file blog.pp under /etc/puppetlabs/code/environments/production/manifests directory on Puppet master node i.e on Jump Server and write code to perform the following task.

Install puppet firewall module on master node i.e on Jump Server (you can install manually).

There are some different applications running on all three apps. One of the applications is using port 8085 on App server 1 , 5009 on App server 2 and 8095 on App server 3. Complete below mentioned tasks:

a. Open all incoming connections for 8085/tcp port on App Server 1 and zone should be public.

b. Open all incoming connections for 5009/tcp port on App Server 2 and zone should be public.

c. Open all incoming connections for 8095/tcp port on App Server 3 and zone should be public.

Note: Please do not add firewall rich rules.

Please Note :-  Perform the below commands based on your question  server,  user name & other details might differ . So please read task carefully before executing. All the Best 👍

Solution:  

1. Go through the folder mentioned in task and create 2 puppet files

 Create Inventory File Code.pp

root@jump_host /# cd /etc/puppetlabs/code/environments/production/manifests/ root@jump_host /etc/puppetlabs/code/environments/production/manifests#  vi code.pp root@jump_host /etc/puppetlabs/code/environments/production/manifests# cat code.pp  node 'stapp01.stratos.xfusioncorp.com' {    include firewall_node1  }  node 'stapp02.stratos.xfusioncorp.com' {    include firewall_node2  }  node 'stapp03.stratos.xfusioncorp.com' {    include firewall_node3  } root@jump_host /etc/puppetlabs/code/environments/production/manifests#

 

Create a Puppet programming file blog.pp for firewall rules

root@jump_host /etc/puppetlabs/code/environments/production/manifests# vi blog.pp root@jump_host /etc/puppetlabs/code/environments/production/manifests# cat blog.pp class { 'firewalld': }  class firewall_node1 {  firewalld_port { 'Open port 8085 in the public zone':      ensure   => present,      zone     => 'public',      port     => 8085,      protocol => 'tcp',    }  }  class firewall_node2 {    firewalld_port { 'Open port 5009 in the public zone':      ensure   => present,      zone     => 'public',      port     => 5009,      protocol => 'tcp',    }  }  class firewall_node3 {    firewalld_port { 'Open port 8095 in the public zone':      ensure   => present,      zone     => 'public',      port     => 8095,      protocol => 'tcp',    }  }  root@jump_host /etc/puppetlabs/code/environments/production/manifests#

2. Validate the puppet files by below command.( refer Video below for clarity )  

root@jump_host /etc/puppetlabs/code/environments/production/manifests# puppet parser validate code.pp root@jump_host /etc/puppetlabs/code/environments/production/manifests# puppet parser validate blog.pp root@jump_host /etc/puppetlabs/code/environments/production/manifests#

3. Install puppet firewall module on jumpserver       

root@jump_host /etc/puppetlabs/code/environments/production/manifests# puppet module install puppet-firewalld Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ... Notice: Downloading from https://forgeapi.puppet.com ... Notice: Installing -- do not interrupt ... /etc/puppetlabs/code/environments/production/modules └─┬ puppet-firewalld (v4.4.0)   └── puppetlabs-stdlib (v6.6.0) root@jump_host /etc/puppetlabs/code/environments/production/manifests#

4. Login on all  App server  (stapp01, stapp02, stapp03 ) & Switch to root user    

root@jump_host /# ssh tony@stapp01 The authenticity of host 'stapp01 (172.16.238.10)' can't be established. ECDSA key fingerprint is SHA256:QZzut25c5Xsf62UTK9uYe8jHZPZjhj9PcEUKkNNRpYU. ECDSA key fingerprint is MD5:4c:79:c0:49:96:8f:a8:d6:1d:9d:12:f2:03:cf:89:85. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'stapp01,172.16.238.10' (ECDSA) to the list of known hosts. tony@stapp01's password: [tony@stapp01 ~]$ sudo su -  We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:      #1) Respect the privacy of others.     #2) Think before you type.     #3) With great power comes great responsibility.  [sudo] password for tony: [root@stapp01 ~]#

5. Validate the task by running telnet stapp01 8085  & for rest other app server's

Please Note :- You have to do this in all app servers stapp01,stapp02, stapp03. I have Shown only for Stapp01 

6. Click on Finish & Confirm to complete the task successful

Happy Learning!!!!

Apart from this if you need more clarity,  I have made a  tutorial video on this , please go through and share your comments. Like and share the knowledge