Cloudformation Rocky Linux firewalld

46 views Asked by At

My usecase. Cloudformation script to spin up ec2 with Rocky Linux 8, Tomcat 9 and webapp.

RL8 uses Firewalld for firewall settings.

Below is my snippet from the CFN script.

"echo Unmasking firewalld\n",
"sudo systemctl unmask firewalld\n",

"echo Enabling firewalld\n",
"sudo systemctl enable firewalld\n",

"echo Allow inbound and outbound traffic on port 80\n",
"sudo firewall-offline-cmd --add-port=80/tcp\n",

"echo Allow inbound and outbound traffic on port 443\n", 
"sudo firewall-offline-cmd --add-port=443/tcp\n",

"echo Allow loopback traffic\n",
"sudo firewall-offline-cmd --add-interface=lo\n",

"echo Allow established connections\n",
"sudo firewall-offline-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"127.0.0.0/8\" accept'\n",
"sudo firewall-offline-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"0.0.0.0/0\" port port=\"443\" protocol=\"tcp\" accept'\n",
"sudo firewall-offline-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"0.0.0.0/0\" port port=\"80\" protocol=\"tcp\" accept'\n",
"sudo firewall-offline-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"0.0.0.0/0\" port port=\"52311\" protocol=\"tcp\" accept'\n",
"sudo firewall-offline-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"0.0.0.0/0\" port port=\"52311\" protocol=\"udp\" accept'\n",
"sudo firewall-offline-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"0.0.0.0/0\" port port=\"22\" protocol=\"tcp\" accept'\n",
"sudo firewall-offline-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"0.0.0.0/0\" protocol value=\"icmp\" accept'\n",
"sudo firewall-offline-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"0.0.0.0/0\" port port=\"68\" protocol=\"udp\" accept'\n",
"sudo firewall-offline-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"0.0.0.0/0\" port port=\"323\" protocol=\"udp\" accept'\n",

"echo Starting firewalld - systemctl start firewalld\n",
"sudo systemctl start firewalld\n",

"echo Add service http - firewall-cmd --zone=internal1 --add-service=http\n", 
"sudo firewall-cmd --zone=internal1 --add-service=http\n",

"echo Add service https - firewall-cmd --zone=internal1 --add-service=https\n", 
"sudo firewall-cmd --zone=internal1 --add-service=https\n",

CFN script errors out when the following command hits -

"echo Add service http - firewall-cmd --zone=internal1 --add-service=http\n", 
"sudo firewall-cmd --zone=internal1 --add-service=http\n",

Here is the error - Add service http - firewall-cmd --zone=internal1 --add-service=http ERROR:dbus.proxies:Introspect error on :1.39:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

Any cloudformation and firewall experts in here to brainstorm a solution for this?

I have tried the following in the script -

"echo Add service http - firewall-offline-cmd --zone=internal1 --add-service=http\n", 
"sudo firewall-offline-cmd --zone=internal1 --add-service=http\n",

but the changes are not applied.

https://firewalld.org/documentation/man-pages/firewall-offline-cmd.html

1

There are 1 answers

1
Michael Cropper On

Copy and paste or fat finger error?

--zone=internal1

Notice the trailing 1: --zone=internal1