Hi Ronen,
Making the rules persistent is a matter of running iptables-save
afterwards. If you drop this in your top scope it should work:
exec { "persist-firewall":
command => $operatingsystem ? {
"debian" => "/sbin/iptables > /etc/iptables/rules.v4",
/(RedHat|CentOS)/ => "/sbin/iptables > /etc/sysconfig/iptables",
}
refreshonly => true,
}
Firewall {
notify => Exec["persist-firewall"]
}
Can you raise a bug on the other issue about not detecting existing
rules? I'd appreciate being able to see any problematic rules (after
your own scrubbing of course). We'll then be able to try and fix it
for you.
https://github.com/puppetlabs/puppetlabs-firewall/issues
Alessandro's suggestions still hold true about applying firewall rules
with related classes. I'm a big fan of this methodology instead of
having a long list of rules. This is why a firewall type that handles
individual rules is a good approach.
ken.
On Sun, Jul 10, 2011 at 9:54 PM, Ronen Narkis <nark...@gmail.com> wrote:
> Hey Ken, the main issue was that the provider wasn't detecting existing
> rules but instead kept adding them in, another issue is that the rules
> aren't persistent (restarting the service clears them out),
>
> Alessandro ill check it out thanks!
>
> Ronen
>
>
>
> On Sun, Jul 10, 2011 at 10:38 PM, Christopher Webber <kgbbelm...@gmail.com>
> wrote:
>>
>> I have been working on doing something similar to this. We want to
>> abstract for multiple OS's and deal with the joy that is Solaris zones.
>> Essentially, it will be a resource that defines the fw rules in XML and
>> then a script takes all of those definitions and creates a complete set of
>> firewall rules.
>> I am waiting to hear back on our code release policy to see what it takes
>> to release it once I am done.
>> -- cwebber
>> On Jul 10, 2011, at 12:32 PM, Alessandro Franceschi wrote:
>>
>> FYI
>> I don't know it it may be useful , but I've done this:
>> https://github.com/example42/puppet-modules/tree/master/iptables
>> which can be used in 2 ways:
>> - a "standard" iptable-save approach (set $iptables_config = "file" before
>> to enable it) with rules file defined in
>> https://github.com/example42/puppet-modules/blob/master/iptables/manifests/file.pp
>> (here you have to add source or content arguments to mange it with static
>> files or templates according to your need)
>> - an "automatic" way (default option when you include the module) that
>> dymanically builds iptables rules according to the modules you include and
>> the iptables related variables you set (see the README)
>> This actually works if you use the Example42 modules (or at least the
>> firewall defines included in each one).
>> It's quite nice to see it working adding or removing dynamically but, I
>> must admin, is a bit resource intensive (a puppet resoutce for each dymanic
>> rule).
>>
>> Regards
>> Al @ Lab42
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msg/puppet-users/-/KSn4hF687gQJ.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
"Join us for PuppetConf, September 22nd and 23rd in Portland, OR:
http://bit.ly/puppetconfsig";
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
