Firewall fix when setting up CentOS / RHEL / Fedora relay

I ran into some issues setting up a CentOS / RHEL / Fedora relay recently.

Turns out on the newest version, there is both IPTables and Firewall-Cmd that need to be set.

iptables -A INPUT -p tcp --dport 52311 -j ACCEPT
iptables -A INPUT -p udp --dport 52311 -j ACCEPT
firewall-cmd --zone=public --add-port=52311/tcp --permanent
firewall-cmd --zone=public --add-port=52311/udp --permanent

It would be nice if there was a bigfix fixlet that detected the missing firewall-cmd’s and would add them when run.

Related:

• http://stackoverflow.com/questions/24729024/centos-7-open-firewall-port
• http://wiki.centos.org/HowTos/Network/IPTables
• http://www-01.ibm.com/support/docview.wss?uid=swg21505873
• https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/Log%20Files
• http://support.bigfix.com/bes/release/
• http://support.bigfix.com/bes/release/9.2/patch1/
• http://support.bigfix.com/bes/install/besclients-nonwindows.html#centOS
• https://danielmiessler.com/study/fedora_redhat_centos/
• https://access.redhat.com/sites/default/files/attachments/rh_yum_cheatsheet_1214_jcs_print-1.pdf
• http://www-01.ibm.com/support/docview.wss?uid=swg21505838
• http://www-01.ibm.com/support/docview.wss?uid=swg21506065
• http://www-01.ibm.com/support/docview.wss?uid=swg21506050
• http://www.cyberciti.biz/faq/rhel-redhat-centos-7-change-hostname-command/#1
• https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/Configuration%20Settings

The complete instructions: (as root)

yum install wget -y
wget http://__RELAY_OR_ROOTSERVER__:52311/masthead/masthead.afxm
mkdir /etc/opt/BESClient/
cp masthead.afxm /etc/opt/BESClient/actionsite.afxm
wget http://software.bigfix.com/download/bes/92/BESAgent-9.2.6.94-rhe5.x86_64.rpm
rpm -ivh BESAgent-9.2.6.94-rhe5.x86_64.rpm
iptables -A INPUT -p tcp --dport 52311 -j ACCEPT
iptables -A INPUT -p udp --dport 52311 -j ACCEPT
firewall-cmd --zone=public --add-port=52311/tcp --permanent
firewall-cmd --zone=public --add-port=52311/udp --permanent
wget http://software.bigfix.com/download/bes/92/BESRelay-9.2.6.94-rhe5.x86_64.rpm
rpm -ivh BESRelay-9.2.6.94-rhe5.x86_64.rpm

Will require tweaking when newer client/relay is released. May also require tweaking for the zone for the firewall-cmd

Is this for RHEL/CentOS 7? If so can you open a PMR so we can address it in BES Support?

Yes, this is for RHEL/CentOS 7 specifically.

It didn’t seem like the iptables commands were actually needed for the image of CentOS 7 I was using, but that might not always be the case. The firewall-cmd’s are definitely needed.

This command is needed for CentOS/RHEL 7 clients as well:

firewall-cmd --zone=public --add-port=52311/udp --permanent

+1, this is needed on modern RH-based systems.

You should file an RFE/PMR to have this be a proper fixlet in BESSupport

I got around to needing this one day and tweaked my client side fixlet for relay use on EL7 w/ firewalld.
https://bigfix.me/fixlet/details/25168
The actual checks against the firewall configuration are amature but from a “click this thing to make it work and go away” it is functional.