[Puppet Users] Re: Puppetlabs firewall module
On Wednesday, March 27, 2013 12:32:27 PM UTC-7, David Warden wrote: I'm also running in to this. Has anyone managed to get the puppet firewall module to manage both iptables and ip6tables? You can add rules to ip6tables by specifying provider = 'ip6tables' on each firewall {} statement. For purging the unmanaged ip6tables rules, I couldn't get that to work either - https://github.com/puppetlabs/puppetlabs-firewall/issues/168 Ask -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppetlabs firewall module
I'm also running in to this. Has anyone managed to get the puppet firewall module to manage both iptables and ip6tables? On Monday, December 3, 2012 6:38:17 PM UTC-5, David Mesler wrote: Julia, did you ever figure this out? I'm running into this issue as well. --david On Tuesday, May 22, 2012 5:28:05 AM UTC-4, Julia Smith wrote: I'm trying to use the firewall resource and it works fine for me for iptables. However, I'm not sure how I purge ip6tables? doing... resources { firewall: purge = true } only purges iptables. Currently I have 2 execs for persistence, 1 for iptables and 1 for ip6tables depending on which I'm using but my ip6tables don't purge. I would have expected them to purge with the code above. The test examples which come with the module do not have any purge for ip6tables. Any help would be greatly appreciated. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Puppetlabs firewall module
Julia, did you ever figure this out? I'm running into this issue as well. --david On Tuesday, May 22, 2012 5:28:05 AM UTC-4, Julia Smith wrote: I'm trying to use the firewall resource and it works fine for me for iptables. However, I'm not sure how I purge ip6tables? doing... resources { firewall: purge = true } only purges iptables. Currently I have 2 execs for persistence, 1 for iptables and 1 for ip6tables depending on which I'm using but my ip6tables don't purge. I would have expected them to purge with the code above. The test examples which come with the module do not have any purge for ip6tables. Any help would be greatly appreciated. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/0GkFFf_MTbgJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: puppetlabs firewall module
I'd reverse my stages if I were you. Seems like that will fix it. On Dec 27 2011, 11:02 am, Jure Pečar jure.pe...@gmail.com wrote: On Tue, 27 Dec 2011 04:32:03 -0800 (PST) bel belm...@gmail.com wrote: You could use stages as described in documentation: http://forge.puppetlabs.com/puppetlabs/firewall Now I've implemented stages and indeed output of puppet agent makes me think they are in place: notice: /Firewall[002 allow icmp on eth0]/ensure: created notice: /Firewall[001 allow packets with valid state]/ensure: created notice: /Firewall[000 allow lo in]/ensure: created notice: /Firewall[003 allow ssh]/ensure: created notice: /File[/etc/sysconfig/iptables]/ensure: created notice: /Firewall[100 allow nrpe]/ensure: created notice: /Firewall[100 allow snmp]/ensure: created notice: /Firewall[999 reject everything else on forward]/ensure: created notice: /Firewall[998 reject everything else]/ensure: created But then I lose ssh connection. Looking at local console it is obvious why: Chain INPUT (policy ACCEPT) /* 998 reject everything else */ /* 100 allow nrpe */ /* 100 allow snmp */ /* 003 allow ssh */ /* 000 allow lo in */ /* 001 allow icmp on eth0 */ /* 002 allow packets with valid state */ Chain FORWARD (policy ACCEPT) /* 999 reject everything else on forward */ reject-with icmp-admin-prohibited So again it looks like number in the rule name have no meaning whatsoever. Rules are inserted according to stages, but without rule position (iptables -I chain rulenum) so each one ends on top, since for iptables rulenum parameter is optional and set to 1 (=top of the table) if not specified. -- Jure Pečar -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: puppetlabs firewall module
On 4 January 2012 07:33, bel belm...@gmail.com wrote: I'd reverse my stages if I were you. Seems like that will fix it. On Dec 27 2011, 11:02 am, Jure Pečar jure.pe...@gmail.com wrote: On Tue, 27 Dec 2011 04:32:03 -0800 (PST) bel belm...@gmail.com wrote: You could use stages as described in documentation: http://forge.puppetlabs.com/puppetlabs/firewall Now I've implemented stages and indeed output of puppet agent makes me think they are in place: notice: /Firewall[002 allow icmp on eth0]/ensure: created notice: /Firewall[001 allow packets with valid state]/ensure: created notice: /Firewall[000 allow lo in]/ensure: created notice: /Firewall[003 allow ssh]/ensure: created notice: /File[/etc/sysconfig/iptables]/ensure: created notice: /Firewall[100 allow nrpe]/ensure: created notice: /Firewall[100 allow snmp]/ensure: created notice: /Firewall[999 reject everything else on forward]/ensure: created notice: /Firewall[998 reject everything else]/ensure: created But then I lose ssh connection. Looking at local console it is obvious why: Chain INPUT (policy ACCEPT) /* 998 reject everything else */ /* 100 allow nrpe */ /* 100 allow snmp */ /* 003 allow ssh */ /* 000 allow lo in */ /* 001 allow icmp on eth0 */ /* 002 allow packets with valid state */ Chain FORWARD (policy ACCEPT) /* 999 reject everything else on forward */ reject-with icmp-admin-prohibited So again it looks like number in the rule name have no meaning whatsoever. Rules are inserted according to stages, but without rule position (iptables -I chain rulenum) so each one ends on top, since for iptables rulenum parameter is optional and set to 1 (=top of the table) if not specified. Perhaps try using a collection. Define all new firewall resources as virtual, then in the iptables module, realize them. ie. class nagios::nrpe::config { ... @firewall { '100 allow nrpe': destination = $ipaddress_eth0, proto = 'tcp', dport = '5666', state = 'NEW', action = accept, } } class iptables { ... @firewall { '000 allow lo in': iniface = 'lo', action = accept, } ... Firewall | | { notify = Exec[persist-firewall], } } You could then use stages to ensure iptables is evaluated last. The firewall type should be autoloaded. Cheers, Grant -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: puppetlabs firewall module
On Tue, 27 Dec 2011 04:32:03 -0800 (PST) bel belm...@gmail.com wrote: You could use stages as described in documentation: http://forge.puppetlabs.com/puppetlabs/firewall Now I've implemented stages and indeed output of puppet agent makes me think they are in place: notice: /Firewall[002 allow icmp on eth0]/ensure: created notice: /Firewall[001 allow packets with valid state]/ensure: created notice: /Firewall[000 allow lo in]/ensure: created notice: /Firewall[003 allow ssh]/ensure: created notice: /File[/etc/sysconfig/iptables]/ensure: created notice: /Firewall[100 allow nrpe]/ensure: created notice: /Firewall[100 allow snmp]/ensure: created notice: /Firewall[999 reject everything else on forward]/ensure: created notice: /Firewall[998 reject everything else]/ensure: created But then I lose ssh connection. Looking at local console it is obvious why: Chain INPUT (policy ACCEPT) /* 998 reject everything else */ /* 100 allow nrpe */ /* 100 allow snmp */ /* 003 allow ssh */ /* 000 allow lo in */ /* 001 allow icmp on eth0 */ /* 002 allow packets with valid state */ Chain FORWARD (policy ACCEPT) /* 999 reject everything else on forward */ reject-with icmp-admin-prohibited So again it looks like number in the rule name have no meaning whatsoever. Rules are inserted according to stages, but without rule position (iptables -I chain rulenum) so each one ends on top, since for iptables rulenum parameter is optional and set to 1 (=top of the table) if not specified. -- Jure Pečar -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: puppetlabs firewall module
You could use stages as described in documentation: http://forge.puppetlabs.com/puppetlabs/firewall On Dec 27, 1:48 am, Mark Walkom markwal...@gmail.com wrote: It's because puppet doesn't read sequentially but randomly accesses the module/class. You might be able to get around this by using a template. On 27 December 2011 05:13, Jure Pečar jure.pe...@gmail.com wrote: Hello all, I'm trying to implement iptables management via puppet. My goal is to have a set of default rules that get inherited by every node and then a set of modules defining services, where each service definition brings its own additional iptables rules and they should be properly merged together. But I'm stuck at the first steps of implementing firewall module. As I understand the documentation, the number in te name of the rule is used to properly order the rules in the iptables table. However this is not what I observe. Consider the following rules: class iptables { service { 'iptables': enable = true, subscribe = File['/etc/sysconfig/iptables'], } firewall { '000 allow lo in': iniface = 'lo', action = accept, } firewall { '002 allow packets with valid state': state = ['RELATED', 'ESTABLISHED'], iniface = 'eth0', action = accept, } firewall { '032 allow icmp on eth0': proto = 'icmp', iniface = 'eth0', action = accept, } firewall { '100 allow ssh': destination = $ipaddress_eth0, proto = 'tcp', dport = '22', state = 'NEW', action = accept, ensure = 'present', } firewall { '100 allow nrpe': destination = $ipaddress_eth0, proto = 'tcp', dport = '5666', state = 'NEW', action = accept, } firewall { '100 allow snmp': destination = $ipaddress_eth0, proto = 'udp', dport = '161', action = accept, } firewall { '999 reject everything else': action = reject, reject = 'icmp-admin-prohibited', } firewall { '999 reject everything else on forward': chain = 'FORWARD', action = reject, reject = 'icmp-admin-prohibited', } resources { 'firewall': purge = true, } exec { persist-firewall: command = '/sbin/service iptables save', refreshonly = true, } Firewall { notify = Exec[persist-firewall] } } When I run puppetd -t on a node, I get something like this in iptables -nL output (cut to just comment field): Chain INPUT (policy ACCEPT) /* 100 allow snmp */ /* 100 allow ssh */ state NEW /* 032 allow icmp on eth0 */ /* 002 allow packets with valid state */ /* 999 reject everything else */ /* 000 allow lo in */ /* 100 allow nrpe */ state NEW Chain FORWARD (policy ACCEPT) /* 999 reject everything else on forward */ reject-with icmp-admin-prohibited Order of the rules appears random, sometimes the reject everything rule is applied first and I lose connection to the server. My observation is that either the number in the rule name has no meaning or I'm doing something wrong. Since I'm relatively new to the puppet (but was working with cfengine 7-8 years ago), I'm asking this group for suggestions before I file a bug report. Env is puppet 2.6.12, centos 5.7 on server, centos 6.2 on client. -- Jure Pečar -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.