Re: [Puppet Users] Re: puppetlabs-firewall stages and persistence

Tue, 19 Jun 2012 07:18:25 -0700 

I have this working in our environment as a module, which I will attempt to 
describe. 

module: casfirewall
init.pp
class casfirewall {
  include casfirewall::default, casfirewall::fwpre, casfirewall::fwpost

  file {"/etc/iptables":
    ensure => "directory",
    owner => "root",
    group => "root",
    mode => 700,
  }

  # Always persist firewall rules
  exec { "persist-firewall":
    command => $operatingsystem ? {
      "debian" => "/sbin/iptables-save > /etc/iptables/rules.v4",
      /(RedHat|CentOS)/ => "/sbin/iptables-save > /etc/sysconfig/iptables",
    },
    refreshonly => true,
    require => File["/etc/iptables"],
  }
  Firewall {
    notify => Exec["persist-firewall"],
    before => Class["casfirewall::fwpost"],
    require => Class["casfirewall::fwpre"],
  }

  # Setup firewall resource
  resources { "firewall": purge => true }
}


As you can see, this holds the meat and potatoes by including the Firewall 
notify, before, and require bits. 
The fwpre class contains the initial firewall settings (abbreviated here)
class casfirewall::fwpre {
  Firewall {
    require => undef,
  }

  firewall { "000 allow outbound":
    proto => "all",
    chain => "OUTPUT",
    action => accept,
  }...

The fwpost class contains the drop everything else rule. Because of the 
before ordering in init.pp this rule gets applied last (and was the reason 
for starting this thread in the first place)
class casfirewall::fwpost {
  firewall {"999 drop all":
    proto => "all",
    action => drop,
    before => undef,
  }
}

In our init.pp we also have defined a default class. This contains all the 
rules to open ports to our monitoring servers or backup servers. These get 
applied after the initial pre class, and before the post as you would 
expect. 

I hope that helps. The suggestions given in this thread about firewall 
ordering very much helped us. I look forward to seeing the firewall module 
get another release and more user uptake.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/-B3-kjpoFvYJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to