Great! ... almost? The Firewall notify dependency check almost covers everything. I really like its elegance.
The one problem I can still think of is that the firewall module is not the only one setting firewall rules. In the puppetlabs/apache module, for example, it attempts to open up port 80. Since there is no guarantee when a module is applied it is possible the firewall module will kick, followed by apache. Since the last rule in the firewall module is to drop all, it will match before the apache open port 80. It is a little bit difficult to test module ordering aside from restarting the puppet master and just trying it out on a test node for about an hour. So I haven't tested this today. You said: > the numbers in the namevar are ultimately for how they get ordered in the file ruleset as you state - but not what order they are _inserted_. Which makes me still think that the order various modules kick can affect the firewall rules. Thus, a stage after main is still needed to guarantee that the drop happens last. I hope I'm wrong, is there any alternative? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8LCJU0uojjMJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
