2

On CentOS 6.4 and 6.3 I have seen puppet regularly use ports below 32768. This is contrary to the setting for kernel-assigned ports according to: 

cat /proc/sys/net/ipv4/ip_local_port_range
32768   61000

Example puppet process blocked by my stateless firewall:

ruby     24488 root    3u  IPv4 1844198      0t0  UDP 172.16.10.156:13346->172.16.10.2:domain

I would like to fix this to be able to select a range that does not need to be "world-writable" in a stateless firewall.

Edit: Puppet version 3.1.1 and Ruby 1.8.7

Georg
  • 261
  • 3
  • 9
  • That is odd. I can't imagine why puppet would be directly performing UDP requests instead of issuing system calls, which should be following the kernel settings. – Zoredache Apr 14 '13 at 01:21

2 Answers2

3

Why does your firewall care about the source port of incoming connections/UDP packets at all? The correct fix is not to care about that and only add rules for things that matter: allow traffic to the UDP destination port 53, regardless of source port.

Dennis Kaarsemaker
  • 19,277
  • 2
  • 44
  • 70
  • Every firewall has to care about source ports. That's where replies go to. You probably never had to care about that because your firewall uses connection tracking. But I run a stateless firewall due to hosting system constraints and performance considerations. Stateless firewall means no connection tracking - so a range of source ports has to stay generally open for non-syn packets. Of course the trick is to separate this range from the range of ports where services listen for syn packets (new connections). – Georg Apr 16 '13 at 09:35
  • I prefer my firewalls stateless and still don't care about the source port of *incoming* packets. For a DNS server, I accept all packets coming *in to* port 53, and going *out from* port 53. – Dennis Kaarsemaker Apr 16 '13 at 09:44
  • I am talking about DNS queries. If you configured your DNS server really like that and blocked everything else it will maybe SERVE your zones but NOT be able to issue DNS QUERIES. Replies to DNS queries don't go in on port 53. – Georg Apr 16 '13 at 12:18
  • Yes, so you also allow outgoing traffic *to* port 53, and incoming traffic *from* port 53. Still no need to specify source ports for incoming dns queries. – Dennis Kaarsemaker Apr 16 '13 at 13:00
  • Which would allow port scanning, packet injection etc against my listening ports if the attacker fixes his outgoing port to 53. Quite annoying to have a hole of that size. Especially since your approach is very common and well known to attackers. I know, if my udp services where all perfectly implemented they could ignore such traffic - but the reason for the FW is to not have to worry about that. – Georg Apr 16 '13 at 14:01
0

Possibly /proc/sys/net/ipv4/ip_local_port_range is being set after the puppet agent daemon starts. Restart the daemon to check.

Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
  • Puppet is not run as agent, but as cron job. The service is disabled. This problem was even discovered and is reproducible during manual execution. Happens every other time. – Georg Apr 16 '13 at 22:16