On 4 January 2012 07:33, bel <[email protected]> wrote:
> I'd reverse my stages if I were you. Seems like that will fix it.
>
> On Dec 27 2011, 11:02 am, Jure Pečar <[email protected]> wrote:
> > On Tue, 27 Dec 2011 04:32:03 -0800 (PST)
> >
> > bel <[email protected]> wrote:
> > > You could use stages as described in documentation:
> >
> > >http://forge.puppetlabs.com/puppetlabs/firewall
> >
> > Now I've implemented stages and indeed output of puppet agent makes me
> think they are in place:
> >
> > notice: /Firewall[002 allow icmp on eth0]/ensure: created
> > notice: /Firewall[001 allow packets with valid state]/ensure: created
> > notice: /Firewall[000 allow lo in]/ensure: created
> > notice: /Firewall[003 allow ssh]/ensure: created
> > notice: /File[/etc/sysconfig/iptables]/ensure: created
> > notice: /Firewall[100 allow nrpe]/ensure: created
> > notice: /Firewall[100 allow snmp]/ensure: created
> > notice: /Firewall[999 reject everything else on forward]/ensure: created
> > notice: /Firewall[998 reject everything else]/ensure: created
> >
> > But then I lose ssh connection. Looking at local console it is obvious
> why:
> >
> > Chain INPUT (policy ACCEPT)
> > /* 998 reject everything else */
> > /* 100 allow nrpe */
> > /* 100 allow snmp */
> > /* 003 allow ssh */
> > /* 000 allow lo in */
> > /* 001 allow icmp on eth0 */
> > /* 002 allow packets with valid state */
> >
> > Chain FORWARD (policy ACCEPT)
> > /* 999 reject everything else on forward */ reject-with
> icmp-admin-prohibited
> >
> > So again it looks like number in the rule name have no meaning
> whatsoever. Rules are inserted according to stages, but without rule
> position (iptables -I chain rulenum) so each one ends on top, since for
> iptables rulenum parameter is optional and set to 1 (=top of the table) if
> not specified.
> >
>
Perhaps try using a collection. Define all new firewall resources as
virtual, then in the iptables module, realize them. ie.
class nagios::nrpe::config {
...
@firewall { '100 allow nrpe':
destination => $ipaddress_eth0,
proto => 'tcp',
dport => '5666',
state => 'NEW',
action => accept,
}
}
class iptables {
...
@firewall { '000 allow lo in':
iniface => 'lo',
action => accept,
}
...
Firewall <| |> { notify => Exec["persist-firewall"], }
}
You could then use stages to ensure iptables is evaluated last. The
firewall type should be autoloaded.
Cheers,
Grant
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
