This was my original idea, however I tried to start simpler, I tried to
get a handle on editfiles only to realise after writing it... that I
was using cfengine 2 syntax, which was vastly different.
I was originally looking for "# Apache" and if not finding it then
inserting it,
# Apache
various lines here
# End apache
and then removing it
but I couldn't work out how to do this in cfengine 3.
Thanks
On 10 February 2012 20:05:23, Nick Anderson wrote:
> On 02/10/2012 12:24 PM, John Mitchell wrote:
>> Hiya,
>>
>> Sorry still learning cfEngine here, and its being a slow process but
>> think I'm finally getting the hang of it, but am a little stumped by one
>> problem.
>>
>> I'm trying to set firewall rules based on a certain set of
>> circumstances, ie if a machine is defined as a webserver then port 80
>> should be allowed, and if not a member of the webserver groups, then
>> port 80 denied.
>>
>> webserver::
>> "/sbin/iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp
>> -p tcp --dport 80 -j ACCEPT"
>>
>> !webserver::
>> "/sbin/iptables -D RH-Firewall-1-INPUT -m state --state NEW -m tcp
>> -p tcp --dport 80 -j ACCEPT"
>>
>>
>> However what I also need to do is reload the iptables process
>> (iptables-save; iptables-reload) if a new entry is added to the list,
>> also I'd prefer not to attempt to add duplicate listings to the
>> firewall. I can do a iptables --list to get a list, but I'm not quite
>> sure how to set a value on a match for a process. Ideally I'd like to do
>> something along the lines of
>>
>> classes:
>> "https_port_allowed" => if_line_in_program_output("/sbin/iptables
>> --list","^ACCEPT.*state NEW tcp dpt:www")
>>
>> But I have no clue on how to do this, could someone point me in the
>> right direction. I've tried reading all the examples and tutorials and
>> documents I can get my hands on, but the learning curve is pretty high
>> so theres a good chance I've missed it :|
>>
>> Thanks in advance for any help or direction anyone can give!
>
> What if instead of inserting the rule on the fly you edit the saved
> config and then reload iptables? I think the rules are stored in
> /etc/sysconfig/iptables. You could do line edits there, then restart
> iptables and it should pick up the new rules.
>
>
--
*John Mitchell
Vice President, Development*
*mi...@jolokianetworks.com*
*jolokianetworks.com
245-M Mt. Hermon Rd, Ste 152
Scotts Valley, CA 95066
408.689.0290*
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
