Great! ... almost?

The Firewall notify dependency check almost covers everything. I really 
like its elegance.

The one problem I can still think of is that the firewall module is not the 
only one setting firewall rules. In the puppetlabs/apache module, for 
example, it attempts to open up port 80. Since there is no guarantee when a 
module is applied it is possible the firewall module will kick, followed by 
apache. Since the last rule in the firewall module is to drop all, it will 
match before the apache open port 80.

It is a little bit difficult to test module ordering aside from restarting 
the puppet master and just trying it out on a test node for about an hour. 
So I haven't tested this today. 
You said: 

> the numbers in the namevar are ultimately for how they get 

ordered in the file ruleset as you state - but not what order 

they are _inserted_.


Which makes me still think that the order various modules kick can affect 
the firewall rules. Thus, a stage after main is still needed to guarantee 
that the drop happens last. I hope I'm wrong, is there any alternative? 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/8LCJU0uojjMJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to