This ordering behaviour is as you state, and the numbers in the namevar are ultimately for how they get ordered in the file ruleset as you state - but not what order they are _inserted_. Ideally it would be great to have insertion order and order in the firewall list to be the same - but this doesn't work yet, and there are reasons why this isn't always desirable. Some people have suggested modifying the rule file, instead of changing the rule directly to work around this - and there are certainly merits in that approach (and drawbacks).
So I think though the documentation needs updating. This is what I use in top scope, and I've included the pre/post classes that belong in their respective module ultimately: https://gist.github.com/2032141 You'll notice I ultimately don't use stages here, to avoid the problem some people have with the exec being in the main stage. If people can try this methodology and see if it works that would be much appreciated, then the documentation can be updated to reflect this pattern instead. ken. On Tue, Mar 13, 2012 at 2:27 PM, Christian McHugh <[email protected]> wrote: > In the pre main stage I have defined rules to allow outbound and allow > related and established. In the post main stage, it does a drop all. Before > this was organized into stages, occasionally the drop all would get applied > before keep established and allow outbound, and thus the client could lose > its connection to the puppet master mid run. > > > On Tuesday, March 13, 2012 4:16:07 PM UTC-5, Mohamed wrote: >> >> Just out of curiosity, what do you mean by: >> >> > We ended >> > up in situations where the drop rules would kick before the allow >> > established rules, and thus kill the puppet run >> >> In my experience, what breaks is the reporting attempt puppet clients >> makes to the master, not the puppet run itself. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/xBTznk59RKkJ. > > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
