[Puppet Users] Re: puppetlabs-firewall issue
If it helps this is what I see when running in debug mode:
debug: /Stage[main]/My_fw::Post/Firewall[999 drop all]/require: requires
Class[My_fw::Pre]
debug: /Stage[main]/My_fw::Pre/Firewall[001 accept all to lo
interface]/before: requires Firewall[002 accept related established rules]
debug: /Stage[main]/Firewall::Linux::Redhat/require: requires
Package[iptables]
debug: /Stage[main]/My_fw::Pre/Firewall[000 accept all icmp]/before:
requires Firewall[001 accept all to lo interface]
debug: /Stage[main]/My_fw::Pre/Firewall[100 allow http and https
access]/before: requires Class[My_fw::Post]
debug: /Stage[main]/My_fw::Pre/Firewall[002 accept related established
rules]/before: requires Class[My_fw::Post]
debug: /Stage[main]/Users/User[pepe]: Autorequiring Group[shame]
debug: /Schedule[daily]: Skipping device resources because running on a host
debug: /Schedule[monthly]: Skipping device resources because running on a
host
debug: /Schedule[hourly]: Skipping device resources because running on a
host
debug: /Schedule[never]: Skipping device resources because running on a host
debug: Prefetching yum resources for package
debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm --version'
debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -qa
--nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION}
%{RELEASE} %{ARCH}
''
debug: Service[iptables](provider=redhat): Executing '/sbin/service
iptables status'
debug: Puppet::Type::Service::ProviderRedhat: Executing '/sbin/chkconfig
iptables'
El martes, 1 de julio de 2014 16:17:30 UTC-3, Pablo Morales escribió:
>
> Hi there guys
> I'm new to puppet I thinks it's a great tool and I'm trying to configure
> some task to perform automatically like users and some services which I had
> no
> problems until now with iptables, this is what I'v got
>
> server and client:
> CentOS release 6.5 (Final)
>
> On client:
> puppet-2.7.25-2.el6.noarch
>
> On server:
> puppet-server-3.6.2-1.el6.noarch
> puppet-3.6.2-1.el6.noarch
>
> I'm following this:
> https://forge.puppetlabs.com/puppetlabs/firewall
>
> My config on server:
> /etc/puppet/modules/my_fw/manifests
> post.pp
> pre.pp
> class my_fw::post {
> firewall { '999 drop all':
> proto => 'all',
> action => 'drop',
> before => undef,
> }
> }
>
> class my_fw::pre {
> Firewall {
> require => undef,
> }
>
> # Default firewall rules
> firewall { '000 accept all icmp':
> proto => 'icmp',
> action => 'accept',
> }->
> firewall { '001 accept all to lo interface':
> proto => 'all',
> iniface => 'lo',
> action => 'accept',
> }->
> firewall { '002 accept related established rules':
> proto => 'all',
> ctstate => ['RELATED', 'ESTABLISHED'],
> action => 'accept',
> }
>
> firewall { '100 allow http and https access':
> port => [80, 443],
> proto => tcp,
> action => accept,
> }
>
> }
>
> /etc/puppet/manifests
> site.pp
> # tell puppet on which client to run the class
> node slnxserver {
>
> include users
>
> #resources { "firewall":
> #purge => true
> #}
>
> Firewall {
> before => Class['my_fw::post'],
> require => Class['my_fw::pre'],
> }
>
> class { ['my_fw::pre', 'my_fw::post']: }
> class { 'firewall': }
> }
>
> On the client I see the following:
> tail -f /var/log/messages
> Jul 1 16:01:09 slnxserver puppet-agent[16431]: Finished catalog run in
> 0.35 seconds
> Jul 1 16:02:41 slnxserver puppet-agent[16431]: Finished catalog run in
> 0.33 seconds
> Jul 1 16:04:13 slnxserver puppet-agent[16431]: Finished catalog run in
> 0.30 seconds
> Jul 1 16:05:45 slnxserver puppet-agent[16431]: Finished catalog run in
> 0.28 seconds
> Jul 1 16:07:17 slnxserver puppet-agent[16431]: Finished catalog run in
> 0.29 seconds
>
> No problems reported, but it seems the iptables rules are not applied, am
> I missing somthing else?
>
> The 80:443 ports is not applied:
>
> iptables -nL
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> If I uncomment the resource statement above I get:
> puppet-agent[16431]: Failed to apply catalog: Parameter name failed on
> Resources[firewall]: Could not find resource type 'firewall' at
> /etc/puppet/manifests/site.pp:8
>
>
> Thanks for your time and support, any help appreciated.
> Regards
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/29178a3d-d0ba-4601-9a8b-5af39276261f%40googlegr
Re: [Puppet Users] Re: puppetlabs-firewall issue
Hmm...
Do you have plugin sync turned on in the agent config? Should see
something like pluginsync = true in your puppet.conf. The error
specified seems to be having an issue fining the type which is sync'ed
from the master to the agents through plugin sync.
On Tue, Jul 1, 2014 at 1:50 PM, Pablo Morales wrote:
> If it helps this is what I see when running in debug mode:
>
> debug: /Stage[main]/My_fw::Post/Firewall[999 drop all]/require: requires
> Class[My_fw::Pre]
> debug: /Stage[main]/My_fw::Pre/Firewall[001 accept all to lo
> interface]/before: requires Firewall[002 accept related established rules]
> debug: /Stage[main]/Firewall::Linux::Redhat/require: requires
> Package[iptables]
> debug: /Stage[main]/My_fw::Pre/Firewall[000 accept all icmp]/before:
> requires Firewall[001 accept all to lo interface]
> debug: /Stage[main]/My_fw::Pre/Firewall[100 allow http and https
> access]/before: requires Class[My_fw::Post]
> debug: /Stage[main]/My_fw::Pre/Firewall[002 accept related established
> rules]/before: requires Class[My_fw::Post]
> debug: /Stage[main]/Users/User[pepe]: Autorequiring Group[shame]
> debug: /Schedule[daily]: Skipping device resources because running on a host
> debug: /Schedule[monthly]: Skipping device resources because running on a
> host
> debug: /Schedule[hourly]: Skipping device resources because running on a
> host
> debug: /Schedule[never]: Skipping device resources because running on a host
> debug: Prefetching yum resources for package
> debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm --version'
> debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -qa
> --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION}
> %{RELEASE} %{ARCH}
> ''
> debug: Service[iptables](provider=redhat): Executing '/sbin/service iptables
> status'
> debug: Puppet::Type::Service::ProviderRedhat: Executing '/sbin/chkconfig
> iptables'
>
>
> El martes, 1 de julio de 2014 16:17:30 UTC-3, Pablo Morales escribió:
>>
>> Hi there guys
>> I'm new to puppet I thinks it's a great tool and I'm trying to configure
>> some task to perform automatically like users and some services which I had
>> no
>> problems until now with iptables, this is what I'v got
>>
>> server and client:
>> CentOS release 6.5 (Final)
>>
>> On client:
>> puppet-2.7.25-2.el6.noarch
>>
>> On server:
>> puppet-server-3.6.2-1.el6.noarch
>> puppet-3.6.2-1.el6.noarch
>>
>> I'm following this:
>> https://forge.puppetlabs.com/puppetlabs/firewall
>>
>> My config on server:
>> /etc/puppet/modules/my_fw/manifests
>> post.pp
>> pre.pp
>> class my_fw::post {
>> firewall { '999 drop all':
>> proto => 'all',
>> action => 'drop',
>> before => undef,
>> }
>> }
>>
>> class my_fw::pre {
>> Firewall {
>> require => undef,
>> }
>>
>> # Default firewall rules
>> firewall { '000 accept all icmp':
>> proto => 'icmp',
>> action => 'accept',
>> }->
>> firewall { '001 accept all to lo interface':
>> proto => 'all',
>> iniface => 'lo',
>> action => 'accept',
>> }->
>> firewall { '002 accept related established rules':
>> proto => 'all',
>> ctstate => ['RELATED', 'ESTABLISHED'],
>> action => 'accept',
>> }
>>
>> firewall { '100 allow http and https access':
>> port => [80, 443],
>> proto => tcp,
>> action => accept,
>> }
>>
>> }
>>
>> /etc/puppet/manifests
>> site.pp
>> # tell puppet on which client to run the class
>> node slnxserver {
>>
>> include users
>>
>> #resources { "firewall":
>> #purge => true
>> #}
>>
>> Firewall {
>> before => Class['my_fw::post'],
>> require => Class['my_fw::pre'],
>> }
>>
>> class { ['my_fw::pre', 'my_fw::post']: }
>> class { 'firewall': }
>> }
>>
>> On the client I see the following:
>> tail -f /var/log/messages
>> Jul 1 16:01:09 slnxserver puppet-agent[16431]: Finished catalog run in
>> 0.35 seconds
>> Jul 1 16:02:41 slnxserver puppet-agent[16431]: Finished catalog run in
>> 0.33 seconds
>> Jul 1 16:04:13 slnxserver puppet-agent[16431]: Finished catalog run in
>> 0.30 seconds
>> Jul 1 16:05:45 slnxserver puppet-agent[16431]: Finished catalog run in
>> 0.28 seconds
>> Jul 1 16:07:17 slnxserver puppet-agent[16431]: Finished catalog run in
>> 0.29 seconds
>>
>> No problems reported, but it seems the iptables rules are not applied, am
>> I missing somthing else?
>>
>> The 80:443 ports is not applied:
>>
>> iptables -nL
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> If I uncomment the resource statement above I get:
>> puppet-agent[16431]: Failed to apply catalog: Parameter name failed on
>> Resources[firewall]: Could not find resource type 'firewall' at
>> /etc/puppet/manifests/si
Re: [Puppet Users] Re: puppetlabs-firewall issue
Cory Thank you very much!!! that was the issue...
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 /* 000 accept
all icmp */
ACCEPT all -- 0.0.0.0/00.0.0.0/0 /* 001 accept
all to lo interface */
ACCEPT all -- 0.0.0.0/00.0.0.0/0 /* 002 accept
related established rules */ ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 multiport
ports 80,443 /* 100 allow http and https access */
DROP all -- 0.0.0.0/00.0.0.0/0 /* 999 drop
all */
Thank for your time and support
Regards
El miércoles, 2 de julio de 2014 06:23:46 UTC-3, Cory Stoker escribió:
>
> Hmm...
>
> Do you have plugin sync turned on in the agent config? Should see
> something like pluginsync = true in your puppet.conf. The error
> specified seems to be having an issue fining the type which is sync'ed
> from the master to the agents through plugin sync.
>
> On Tue, Jul 1, 2014 at 1:50 PM, Pablo Morales > wrote:
> > If it helps this is what I see when running in debug mode:
> >
> > debug: /Stage[main]/My_fw::Post/Firewall[999 drop all]/require: requires
> > Class[My_fw::Pre]
> > debug: /Stage[main]/My_fw::Pre/Firewall[001 accept all to lo
> > interface]/before: requires Firewall[002 accept related established
> rules]
> > debug: /Stage[main]/Firewall::Linux::Redhat/require: requires
> > Package[iptables]
> > debug: /Stage[main]/My_fw::Pre/Firewall[000 accept all icmp]/before:
> > requires Firewall[001 accept all to lo interface]
> > debug: /Stage[main]/My_fw::Pre/Firewall[100 allow http and https
> > access]/before: requires Class[My_fw::Post]
> > debug: /Stage[main]/My_fw::Pre/Firewall[002 accept related established
> > rules]/before: requires Class[My_fw::Post]
> > debug: /Stage[main]/Users/User[pepe]: Autorequiring Group[shame]
> > debug: /Schedule[daily]: Skipping device resources because running on a
> host
> > debug: /Schedule[monthly]: Skipping device resources because running on
> a
> > host
> > debug: /Schedule[hourly]: Skipping device resources because running on a
> > host
> > debug: /Schedule[never]: Skipping device resources because running on a
> host
> > debug: Prefetching yum resources for package
> > debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm
> --version'
> > debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -qa
> > --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}|
> %{VERSION}
> > %{RELEASE} %{ARCH}
> > ''
> > debug: Service[iptables](provider=redhat): Executing '/sbin/service
> iptables
> > status'
> > debug: Puppet::Type::Service::ProviderRedhat: Executing '/sbin/chkconfig
> > iptables'
> >
> >
> > El martes, 1 de julio de 2014 16:17:30 UTC-3, Pablo Morales escribió:
> >>
> >> Hi there guys
> >> I'm new to puppet I thinks it's a great tool and I'm trying to
> configure
> >> some task to perform automatically like users and some services which I
> had
> >> no
> >> problems until now with iptables, this is what I'v got
> >>
> >> server and client:
> >> CentOS release 6.5 (Final)
> >>
> >> On client:
> >> puppet-2.7.25-2.el6.noarch
> >>
> >> On server:
> >> puppet-server-3.6.2-1.el6.noarch
> >> puppet-3.6.2-1.el6.noarch
> >>
> >> I'm following this:
> >> https://forge.puppetlabs.com/puppetlabs/firewall
> >>
> >> My config on server:
> >> /etc/puppet/modules/my_fw/manifests
> >> post.pp
> >> pre.pp
> >> class my_fw::post {
> >> firewall { '999 drop all':
> >> proto => 'all',
> >> action => 'drop',
> >> before => undef,
> >> }
> >> }
> >>
> >> class my_fw::pre {
> >> Firewall {
> >> require => undef,
> >> }
> >>
> >> # Default firewall rules
> >> firewall { '000 accept all icmp':
> >> proto => 'icmp',
> >> action => 'accept',
> >> }->
> >> firewall { '001 accept all to lo interface':
> >> proto => 'all',
> >> iniface => 'lo',
> >> action => 'accept',
> >> }->
> >> firewall { '002 accept related established rules':
> >> proto => 'all',
> >> ctstate => ['RELATED', 'ESTABLISHED'],
> >> action => 'accept',
> >> }
> >>
> >> firewall { '100 allow http and https access':
> >> port => [80, 443],
> >> proto => tcp,
> >> action => accept,
> >> }
> >>
> >> }
> >>
> >> /etc/puppet/manifests
> >> site.pp
> >> # tell puppet on which client to run the class
> >> node slnxserver {
> >>
> >> include users
> >>
> >> #resources { "firewall":
> >> #purge => true
> >> #}
> >>
> >> Firewall {
> >> before => Class['my_fw::post'],
> >> require => Class['my_fw::pre'],
> >> }
> >>
> >> class { ['my_fw::pre', 'my_fw::post']: }
> >> class { 'firewall': }
> >> }
> >>
> >> On the client I see the f
