RedHat Firewall is Blocking BES Traffic - BES Client
Log In or Register to download the BES file, and more.

0 Votes

Description

The listed computers have iptables enabled and are not configured to allow inbound UDP traffic on the port used by BES (BES uses port 52311 by default).

The BES Server and BES Relays send UDP packets to the BES Clients to notify them that there is new information available such as new Fixlet messages, actions, and computer refreshes. BES Clients on relevant computers will not receive UDP notification packets and therefore will not see new actions or new Fixlet messages until they gather the new actionsite, which is by default, once a day. After configuring iptables to allow inbound UDP traffic on the BES Listen Port, BES Clients will resume normal communication with the BES Server and BES Relays.

Note: After this action is applied, affected BES Clients will not report until they have performed their standard once-per-day gather or until the BES Client is restarted.

Note: The iptables firewall configuration is modified by inserting a new rule into the first position in the chain. Rules added after this fixlet is applied which try to take the first position in the firewall rules chain can override the rule added by this fixlet.

Important Note: IPTables on systems running SELinux may fail to restart after running this fixlet.


Property Details

ID233
TitleRedHat Firewall is Blocking BES Traffic - BES Client
CategorySupport
Download Size0
SourceBigFix
Source ID<Unspecified>
Source SeverityImportant
Source Release Date6/16/2009 12:00:00 AM
KeywordsBES UDP Clients Note Client
Added by on 10/17/2012 1:14:36 PM
Last Modified by on 10/17/2012 1:14:36 PM
Counters 7971 Views / 22 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 221 fixlets   * Results in a true/false
Show indented relevance
(if exists property "in proxy agent context" then ( not in proxy agent context ) else true )
Used in 17 fixlets   * Results in a true/false
Show indented relevance
version of client >= "6"
Used in 92 fixlets and 24 analyses   * Results in a true/false
Show indented relevance
version of client >= "5.1"
Used in 32 fixlets   * Results in a true/false
Show indented relevance
(if (version of client >= "8.0") then (unix of it) else ((it does not start with "Win" AND it does not start with "Mac OS X") of name of it)) of operating system
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists match (regex "Linux Red Hat Enterprise (AS|ES|WS|Client|Server|Workstation) (3|4|5|6)") of name of operating system
Used in 2 fixlets   * Results in a true/false
Show indented relevance
exists file "/var/lock/subsys/iptables" AND exists file "/proc/net/ip_tables_names"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
NOT exists file "/etc/sysconfig/iptables" whose (exists lines whose (it does not start with "#" AND it contains "--dport 52311" AND it contains "-j ACCEPT") of it) AND exists file "/etc/sysconfig/iptables"

Actions

Action 1 (default)

Action Link Click here to leave iptables enabled, but also allow incoming traffic on the port reserved for BES.
Script Type BigFix Action Script
//Modify the iptables saved ruleset
delete __appendfile
appendfile #!/bin/bash
appendfile sed -i -n '1h;1!H;${{;g;s/*filter\n\(:[^\n]*\n\)*/&-A INPUT -m state --state NEW -m udp -p udp --dport 52311 -j ACCEPT\n/g;p;}' /etc/sysconfig/iptables
appendfile /etc/init.d/iptables restart
wait chmod +x "{(client folder of current site as string) & "/__appendfile"}"
wait "{(client folder of current site as string) & "/__appendfile"}"
//delete delete __appendfile
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here to disable iptables firewall.
Script Type BigFix Action Script
//Disable iptables
delete __appendfile
appendfile #!/bin/bash
appendfile chkconfig --level 2345 iptables off
appendfile /etc/init.d/iptables stop
wait chmod 555 "{(client folder of current site as string) & "/__appendfile"}"
wait "{(client folder of current site as string) & "/__appendfile"}"
//delete delete __appendfile
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 3

Action Link Click here for information on how to make this action a "policy" action that will automatically open the BES port on any computer that has this Fixlet message relevant.
Script Type URL
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=113
    

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!