RedHat/CentOS 7 Firewalld is blocking inbound traffic - BES Relay
Log In or Register to download the BES file, and more.

0 Votes

Description

The listed computers are BES Relays, have firewalld enabled and are not configured to allow inbound TCP/UDP traffic on the port used by BESRelay (BES uses port 52311 by default).

The BES Relays must recieve inbound tcp and udp connections from clients.

Note: The firewalld configuration is modified by inserting a new service into /etc/firewalld/services and enabling it on the default zone.


Property Details

ID25168
StatusBeta - Preliminary testing ready for more
TitleRedHat/CentOS 7 Firewalld is blocking inbound traffic - BES Relay
DomainBES
CategorySupport
Download Size0
SourceInternal
Source ID<Unspecified>
Source SeverityImportant
Source Release Date2/19/2018 7:35:57 AM
Keywordsrelay centos7 redhat7 linux rhel centos
Added by on 2/19/2018 7:35:57 AM
Last Modified by on 2/19/2018 7:35:57 AM
Counters 313 Views / 0 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 219 fixlets   * Results in a true/false
Show indented relevance
(if exists property "in proxy agent context" then ( not in proxy agent context ) else true )
Used in 11 fixlets and 3 analyses   * Results in a true/false
Show indented relevance
exists relay service
Used in 32 fixlets   * Results in a true/false
Show indented relevance
(if (version of client >= "8.0") then (unix of it) else ((it does not start with "Win" AND it does not start with "Mac OS X") of name of it)) of operating system
Used in 3 fixlets   * Results in a true/false
Show indented relevance
exists match (regex "Linux (Red Hat Enterprise (AS|ES|WS|Client|Server|Workstation)|CentOS) (7)") of name of operating system
Used in 3 fixlets   * Results in a true/false
Show indented relevance
exists file "/etc/systemd/system/basic.target.wants/firewalld.service"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
NOT exists file "/etc/firewalld/zones/public.xml" whose ( exists ( lines of it ) whose ( it does not start with "#" AND it contains "<service name=%22bigfix-relay%22/>" ) ) AND exists file "/etc/firewalld/zones/public.xml"

Actions

Action 1 (default)

Action Link Click here to leave firewalld enabled, but create a service and enable it on the default zone to allow incoming traffic on the port reserved for BESRelay.
Script Type BigFix Action Script
//Modify the iptables saved ruleset
delete __appendfile

appendfile #!/bin/bash
appendfile echo -e '"1.0" encoding="utf-8"?>\n\n bigfix-relay\n The BES Server and BES Relays send UDP packets to the BES Clients to notify them that there is new information available such as new Fixlet messages, actions, and computer refreshes. This service permits that traffic on the port designated by the server.\n port="{port number of selected server as string}"/>\n port="{port number of selected server as string}"/>\n' > /etc/firewalld/services/bigfix-relay.xml
appendfile firewall-cmd --reload
appendfile firewall-cmd --permanent --zone=public --add-service=bigfix-relay
appendfile firewall-cmd --reload

wait chmod +x "{(client folder of current site as string) & "/__appendfile"}"

wait "{(client folder of current site as string) & "/__appendfile"}"

//delete delete __appendfile
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here to disable firewalld.
Script Type BigFix Action Script
//Disable iptables
delete __appendfile

appendfile #!/bin/bash
appendfile systemctl disable firewalld.service
appendfile systemctl stop firewalld.service

wait chmod +x "{(client folder of current site as string) & "/__appendfile"}"

wait "{(client folder of current site as string) & "/__appendfile"}"

//delete delete __appendfile
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 3

Action Link Click here for information on how to make this action a "policy" action that will automatically open the BES port on any computer that has this Fixlet message relevant.
Script Type URL
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=113
    

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!