The puppetlabs-firewall module has a provider called firewall{} which
builds a rule. I've written a wrapper that either calls it (without
any changes) or, if track => false, generates an equivalent set of
rules that does not use the Linux firewall "connection tracking"
mechanism. This is useful if you are a high-volume web site and
connection tracking has become a resource hog.
When "track => false", four rules are generated instead:
1. the raw table, chain=PREROUTING, same source and destination, jump=NOTRACK.
2. the raw table, chain=OUTPUT, swap the source and destination, jump=NOTRACK.
3. the filter table, chain=INPUT, same source and destination.
4. the filter table, chain=OUTPUT, swap the source and destination.
NOTE: However if this is an OUTPUT rule, swap the chain in 1 and 2,
and 3 and 4. If you are using ipsets, reverse them in rules 2 and 4.
(Easy to remember, right?)
You can generate these 4 rules by hand, but it is error prone...
especially if you are making many such rules.
My employer (Stack Exchange, Inc.) has graciously me permission to
open source it:
https://github.com/StackExchange/stackexchange-superfirewall
Enjoy!
Tom
--
Email: t...@whatexit.org Work: tlimonce...@stackoverflow.com
Skype: YesThatTom
Blog: http://EverythingSysadmin.com
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAHVFxg%3D9E_wF0NJ%2BFDO_UBWYxvGiHTH6fgyhoYuKXihE4TVf5w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
