ufw making changes every time

[ebdavison]

I have a Ubuntu 18.04 system that has puppet agent 6.02 installed and ufw is setting firewall rules every time the system runs as below. It should only apply changes if there is a change to make and verify the settings the next run as puppet code is supposed to do. Here are the logs from the report:

Timestamp	Source	Tags	Message	Location
Dec 18 2018 - 12:54:29	/Stage[main]/Ca::Zabbix/Ufw::Allow[Allow inbound Zabbix]/Exec[ufw-allow-tcp-from-any-to-any-port-10050]/returns	notice, exec, ufw-allow-tcp-from-any-to-any-port-10050, ufw::allow, ufw, allow, class, ca::zabbix, ca, zabbix, ca::base, base, node, pi-reviewer.cyberadapt.com	executed successfully	/etc/puppetlabs/code/environments/production/modules/ufw/manifests/allow.pp:34
Dec 18 2018 - 12:54:29	/Stage[main]/Ca::Firewall_deb/Ufw::Allow[allow-ssh-from-all]/Exec[ufw-allow-tcp-from-any-to-any-port-22]/returns	notice, exec, ufw-allow-tcp-from-any-to-any-port-22, ufw::allow, ufw, allow, allow-ssh-from-all, class, ca::firewall_deb, ca, firewall_deb, ca::base, base, node, pi-reviewer.cyberadapt.com	executed successfully	/etc/puppetlabs/code/environments/production/modules/ufw/manifests/allow.pp:34
Dec 18 2018 - 12:54:30	/Stage[main]/Ca::Firewall_deb/Ufw::Allow[allow-all-from-trusted]/Exec[ufw-allow-tcp-from-10.0.0.145-to-any-port-all]/returns	notice, exec, ufw-allow-tcp-from-10.0.0.145-to-any-port-all, ufw::allow, ufw, allow, allow-all-from-trusted, class, ca::firewall_deb, ca, firewall_deb, ca::base, base, node, pi-reviewer.cyberadapt.com	executed successfully	/etc/puppetlabs/code/environments/production/modules/ufw/manifests/allow.pp:34
Dec 18 2018 - 12:54:30	/Stage[main]/Ca::Firewall_deb/Ufw::Allow[allow-http-on-specific-interface]/Exec[ufw-allow-tcp-from-any-to-10.0.0.20-port-80]/returns	notice, exec, ufw-allow-tcp-from-any-to-10.0.0.20-port-80, ufw::allow, ufw, allow, allow-http-on-specific-interface, class, ca::firewall_deb, ca, firewall_deb, ca::base, base, node, pi-reviewer.cyberadapt.com	executed successfully	/etc/puppetlabs/code/environments/production/modules/ufw/manifests/allow.pp:34
Dec 18 2018 - 12:54:30	/Stage[main]/Ca::Firewall_deb/Ufw::Allow[allow-dns-over-udp]/Exec[ufw-allow-udp-from-any-to-any-port-53]/returns	notice, exec, ufw-allow-udp-from-any-to-any-port-53, ufw::allow, ufw, allow, allow-dns-over-udp, class, ca::firewall_deb, ca, firewall_deb, ca::base, base, node, pi-reviewer.cyberadapt.com	executed successfully	/etc/puppetlabs/code/environments/production/modules/ufw/manifests/allow.pp:34
Dec 18 2018 - 12:54:30	/Stage[main]/Ca::Vnc/Ufw::Allow[Allow inbound VNC]/Exec[ufw-allow-tcp-from-any-to-any-port-5901]/returns	notice, exec, ufw-allow-tcp-from-any-to-any-port-5901, ufw::allow, ufw, allow, class, ca::vnc, ca, vnc, node, pi-reviewer.cyberadapt.com	executed successfully	/etc/puppetlabs/code/environments/production/modules/ufw/manifests/allow.pp:34
Dec 18 2018 - 12:54:31	Puppet	notice	Applied catalog in 2.84 seconds

[alchemyx]

@attachmentgenie would that "ready" mean this issue is fixed? We are having it too and it pollutes logs on multiple severs.

[ebdavison]

ETA on this issue?

[chrismuu]

If you are using the module attachmentgenie/ufw from Puppet Forge, it has not been updated since v1.4.9 in 2014, and the exec's unless condition from back then fails to find that the rule is present due to trailing whitespace in the output of "ufw | status" for ufw 0.35+ on newer Ubuntu versions.

It would be nice if the Forge module were updated with more current code as this looks to be fixed as of eeb6cb8. You could try pointing to this repository instead.

[ebdavison]

Good to know. When/if I get a chance I will let you know if that fixes it.

[alchemyx]

In my case that change doesn't work for situation where destination IP address is any. I had to do following change:

'any:all' => "ufw status | grep -qE ' +ALLOW +${from_match}${proto_match}( +.*)?$'",

in line 97 of allow.pp. @ebdavison can you please have a look if that helps?