0

Using the Firewall module version 1.9 in puppet 3.8.7, I am getting the following error:

Error 400 on SERVER: Invalid parameter string on Firewall

Here is my Puppet Firewall rule.

firewall {
"051 asterisk-set-rate-limit-register":
  string => "REGISTER sip:",
  string_algo => "bm",
  dport     => '5060',
  proto     => 'udp',
  recent    => 'set',
  rname     => 'VOIPREGISTER',
  rsource   => 'true';
"052 asterisk-drop-rate-limit-register":
  string => "REGISTER sip:",
  string_algo => "bm",
  dport     => '5060',
  proto     => 'udp',
  action    => 'drop',
  recent    => 'update',
  rseconds  => '600',
  rhitcount => '5',
  rname     => 'VOIPREGISTER',
  rsource   => true,
  rttl      => true;
}
markhorrocks
  • 513
  • 3
  • 10
  • 26

1 Answers1

0

The issue appears to be that the firewall class was not instantiated. I also added a firewall purge command so that only the below rules are present. That is handy so that holes are not accidentally left in the firewall.

Here is the code that works on my system:

class { 'firewall': }

resources { 'firewall':
    purge => true,
}

firewall { "051 asterisk-set-rate-limit-register":
    string      => "REGISTER sip:",
    string_algo => "bm",
    dport       => '5060',
    proto       => 'udp',
    recent      => 'set',
    rname       => 'VOIPREGISTER',
    rsource     => 'true';
}
firewall { "052 asterisk-drop-rate-limit-register":
    string      => "REGISTER sip:",
    string_algo => "bm",
    dport       => '5060',
    proto       => 'udp',
    action      => 'drop',
    recent      => 'update',
    rseconds    => '600',
    rhitcount   => '5',
    rname       => 'VOIPREGISTER',
    rsource     => true,
    rttl        => true;
}

notes

I tested that on my puppet installation with the puppetlabs-firewall module installed.

Successfully applied.

Community
  • 1
Elliot Huffman
  • 1,229
  • 1
  • 12
  • 25
  • Is this required? I normally chain other rules with a semi colon separator under the same class selector. – markhorrocks Aug 22 '17 at 15:13
  • This did not work. – markhorrocks Aug 22 '17 at 18:01
  • crud, can you post your full firewall excerpt? I will update mine based upon yours. – Elliot Huffman Aug 22 '17 at 18:27
  • My Firewall string manifest is identical to yours above plus separate firewall rules for port 5060, etc. – markhorrocks Aug 22 '17 at 18:36
  • 1
    I will do an in-depth rebuild and test when I get back to my place. I just happen to need to have a firewall component on my system to. – Elliot Huffman Aug 23 '17 at 10:09
  • hi, did you ever get this tested? – markhorrocks Aug 29 '17 at 01:58
  • Try again. I just rewrote until it worked. I have tested this time. – Elliot Huffman Sep 15 '17 at 20:25
  • Thanks, I'm wondering about the class firewall since I had other firewall rules working without this. I can't purge my firewall as other manifests will also set firewall rules for this server. I'll try on Monday. – markhorrocks Sep 16 '17 at 22:22
  • This still doesn't work for me. I see from the documentation it says this - string: Set the pattern for string matching. Requires the string_matching feature. How would I implement that? – markhorrocks Sep 18 '17 at 19:34
  • Did you only run the above code? By itself, like (sudo) `puppet apply \etc\puppetlabs\code\environments\production\manifests\test.pp` where `test.pp` is the above answer only? – Elliot Huffman Sep 18 '17 at 20:52
  • Also, is it possible for you to update to the latest puppet version? E.g. puppet v5.x? – Elliot Huffman Sep 18 '17 at 20:53
  • I can't update to the latest puppet version, only modules working with 3.8. I did run an exact copy of the above code. The class was already defined in a global puppet firewall manifest and rejected as a duplicate. – markhorrocks Sep 19 '17 at 05:50
  • Please do not run this code with any other code. Run it as standalone. We need to find where the code is having trouble. – Elliot Huffman Sep 19 '17 at 06:03
  • Ok. The puppet system I am using runs a dozen or more servers so I will need to set this up on a VM for one instance. – markhorrocks Sep 19 '17 at 06:17
  • When I mean run the code by itself, only execute the code that I posted, it does not matter how many servers execute it as long as ONLY the above code runs. It is most likely a good idea to create a VM and put only the above code in a `pp` file and execute only that one `pp` file with the puppet system. – Elliot Huffman Sep 19 '17 at 06:21
  • Using a very basic install of of puppet 4 root@mark-Inspiron-13-7359:~# /opt/puppetlabs/bin/puppet agent --test Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Could not find declared class firewall at /etc/puppetlabs/code/environments/production/manifests/site.pp:7:1 on node mark-inspiron-13-7359 Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run – markhorrocks Sep 20 '17 at 18:43
  • /opt/puppetlabs/bin/puppet module list /etc/puppetlabs/code/environments/production/modules └── puppetlabs-firewall (v1.9.0) – markhorrocks Sep 20 '17 at 18:54
  • Can you try puppet 5? – Elliot Huffman Sep 30 '17 at 10:17