On Tue, 27 Dec 2011 04:32:03 -0800 (PST) bel <[email protected]> wrote:
> You could use stages as described in documentation: > > http://forge.puppetlabs.com/puppetlabs/firewall Now I've implemented stages and indeed output of puppet agent makes me think they are in place: notice: /Firewall[002 allow icmp on eth0]/ensure: created notice: /Firewall[001 allow packets with valid state]/ensure: created notice: /Firewall[000 allow lo in]/ensure: created notice: /Firewall[003 allow ssh]/ensure: created notice: /File[/etc/sysconfig/iptables]/ensure: created notice: /Firewall[100 allow nrpe]/ensure: created notice: /Firewall[100 allow snmp]/ensure: created notice: /Firewall[999 reject everything else on forward]/ensure: created notice: /Firewall[998 reject everything else]/ensure: created But then I lose ssh connection. Looking at local console it is obvious why: Chain INPUT (policy ACCEPT) /* 998 reject everything else */ /* 100 allow nrpe */ /* 100 allow snmp */ /* 003 allow ssh */ /* 000 allow lo in */ /* 001 allow icmp on eth0 */ /* 002 allow packets with valid state */ Chain FORWARD (policy ACCEPT) /* 999 reject everything else on forward */ reject-with icmp-admin-prohibited So again it looks like number in the rule name have no meaning whatsoever. Rules are inserted according to stages, but without rule position (iptables -I chain rulenum) so each one ends on top, since for iptables rulenum parameter is optional and set to 1 (=top of the table) if not specified. -- Jure Pečar -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
