Hi,
I'm trying to setup the firewall module to be disabled on certain nodes
(for testing). However, when even if i set the following:
class { 'firewall': ensure => stopped, }
The firewall is still running on centos 6.5 and is sometimes stopped on
centos 7.0.
I've also noticed that the firewall rules keep changing between runs (which
i think is some of the problem).
Below is the sample code i've got going:
manifests/site.pp
--
resources
{ "firewall": purge => true, }
Firewall
{ before => Class['test::post'], require => Class['test::pre'], }
modules/test/manifests/pre.pp
--
class test::pre {
Firewall
{ require => undef, }
# Default firewall rules
firewall { '000 accept all icmp': proto => 'icmp', action => 'accept', }
}
modules/test/manifests/post.pp
--
class test::post {
firewall
{ '999 drop all': proto => 'all', action => 'drop', before => undef, }
}
manifests/nodes/test.pp
--
node ... {
class
{ 'firewall': ensure => stopped, }
class
{ 'test::pre': }
class
{ 'test::post': }
class
{ 'ssh': }
}
modules/ssh/manifests/init.pp
class ssh
{ include ssh::server }
modules/ssh/manifests/server.pp
class ssh::server (
..
){
firewall
{ '100 allow ssh': chain => 'INPUT', state => ['NEW', 'ESTABLISHED'], dport
=> '22', proto => 'tcp', action => 'accept', }
...
}
=
OUTPUT
=
First Run
-
Notice: /Stage[main]/Test::Pre/Firewall[000 accept all icmp]/ensure: created
Notice: /Stage[main]/Firewall::Linux::Redhat/Service[iptables]/ensure:
ensure changed 'running' to 'stopped'
Notice: /Stage[main]/Ssh::Server/Firewall[100 allow ssh]/ensure: created
Notice: /Stage[main]/Test::Post/Firewall[999 drop all]/ensure: created
Notice: Finished catalog run in 2.57 seconds
Second Run
-
Notice: /Stage[main]/Test::Pre/Firewall[000 accept all icmp]/ensure: created
Notice: /Stage[main]/Firewall::Linux::Redhat/Service[iptables]/ensure:
ensure changed 'running' to 'stopped'
Notice: Finished catalog run in 2.38 seconds
Third Run
See First Run ...
(loops)
As a side note, i poked/hacked through the ruby code in the module and i
was seeing this difference between centos 7.0 and centos 6.5. It seems that
the 'proto', 'icmp' stuff isn't parsed correctly??
centos 6.5 output:
-
Debug: (provider=iptables): sijis/@property_hash #B:
protoicmpactionacceptensurepresentline-A INPUT -p icmp -m comment --comment
"000 accept all icmp" -j ACCEPT chainINPUTname000 accept all
icmptablefilterprovideriptables
centos 7.0.1406
-
Debug: (provider=iptables): sijis/@property_hash #B: {:name=>"000 accept
all icmp", :proto=>"icmp", :chain=>"INPUT", :line=>"-A INPUT -p icmp -m
comment --comment \"000 accept all icmp\" -j ACCEPT",
:provider=>"iptables", :table=>"filter", :ensure=>:present,
:action=>"accept"}
I added this line "debug 'sijis/@property_hash #B: %s' %
@property_hash.to_s" to
https://github.com/puppetlabs/puppetlabs-firewall/blob/master/lib/puppet/provider/firewall/iptables.rb#L123-L127
I'd appreciate any feedback.
Thanks
Sijis
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/ab3e3a43-07d0-4489-bc66-b0cbcd8849ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
