It's because puppet doesn't read sequentially but randomly accesses the module/class. You might be able to get around this by using a template.
On 27 December 2011 05:13, Jure Pečar <[email protected]> wrote: > > Hello all, > > I'm trying to implement iptables management via puppet. My goal is to have > a set of default rules that get inherited by every node and then a set of > modules defining services, where each service definition brings its own > additional iptables rules and they should be properly merged together. > > But I'm stuck at the first steps of implementing firewall module. As I > understand the documentation, the number in te name of the rule is used to > properly order the rules in the iptables table. However this is not what I > observe. > > Consider the following rules: > > class iptables { > service { 'iptables': > enable => true, > subscribe => File['/etc/sysconfig/iptables'], > } > firewall { '000 allow lo in': > iniface => 'lo', > action => accept, > } > firewall { '002 allow packets with valid state': > state => ['RELATED', 'ESTABLISHED'], > iniface => 'eth0', > action => accept, > } > firewall { '032 allow icmp on eth0': > proto => 'icmp', > iniface => 'eth0', > action => accept, > } > firewall { '100 allow ssh': > destination => $ipaddress_eth0, > proto => 'tcp', > dport => '22', > state => 'NEW', > action => accept, > ensure => 'present', > } > firewall { '100 allow nrpe': > destination => $ipaddress_eth0, > proto => 'tcp', > dport => '5666', > state => 'NEW', > action => accept, > } > firewall { '100 allow snmp': > destination => $ipaddress_eth0, > proto => 'udp', > dport => '161', > action => accept, > } > firewall { '999 reject everything else': > action => reject, > reject => 'icmp-admin-prohibited', > } > firewall { '999 reject everything else on forward': > chain => 'FORWARD', > action => reject, > reject => 'icmp-admin-prohibited', > } > resources { 'firewall': > purge => true, > } > exec { "persist-firewall": > command => '/sbin/service iptables save', > refreshonly => true, > } > Firewall { > notify => Exec["persist-firewall"] > } > } > > When I run puppetd -t on a node, I get something like this in iptables -nL > output (cut to just comment field): > > Chain INPUT (policy ACCEPT) > /* 100 allow snmp */ > /* 100 allow ssh */ state NEW > /* 032 allow icmp on eth0 */ > /* 002 allow packets with valid state */ > /* 999 reject everything else */ > /* 000 allow lo in */ > /* 100 allow nrpe */ state NEW > > Chain FORWARD (policy ACCEPT) > /* 999 reject everything else on forward */ reject-with > icmp-admin-prohibited > > Order of the rules appears random, sometimes the reject everything rule is > applied first and I lose connection to the server. > > My observation is that either the number in the rule name has no meaning > or I'm doing something wrong. Since I'm relatively new to the puppet (but > was working with cfengine 7-8 years ago), I'm asking this group for > suggestions before I file a bug report. > > Env is puppet 2.6.12, centos 5.7 on server, centos 6.2 on client. > > -- > > Jure Pečar > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
