I have this working in our environment as a module, which I will attempt to
describe.
module: casfirewall
init.pp
class casfirewall {
include casfirewall::default, casfirewall::fwpre, casfirewall::fwpost
file {"/etc/iptables":
ensure => "directory",
owner => "root",
group => "root",
mode => 700,
}
# Always persist firewall rules
exec { "persist-firewall":
command => $operatingsystem ? {
"debian" => "/sbin/iptables-save > /etc/iptables/rules.v4",
/(RedHat|CentOS)/ => "/sbin/iptables-save > /etc/sysconfig/iptables",
},
refreshonly => true,
require => File["/etc/iptables"],
}
Firewall {
notify => Exec["persist-firewall"],
before => Class["casfirewall::fwpost"],
require => Class["casfirewall::fwpre"],
}
# Setup firewall resource
resources { "firewall": purge => true }
}
As you can see, this holds the meat and potatoes by including the Firewall
notify, before, and require bits.
The fwpre class contains the initial firewall settings (abbreviated here)
class casfirewall::fwpre {
Firewall {
require => undef,
}
firewall { "000 allow outbound":
proto => "all",
chain => "OUTPUT",
action => accept,
}...
The fwpost class contains the drop everything else rule. Because of the
before ordering in init.pp this rule gets applied last (and was the reason
for starting this thread in the first place)
class casfirewall::fwpost {
firewall {"999 drop all":
proto => "all",
action => drop,
before => undef,
}
}
In our init.pp we also have defined a default class. This contains all the
rules to open ports to our monitoring servers or backup servers. These get
applied after the initial pre class, and before the post as you would
expect.
I hope that helps. The suggestions given in this thread about firewall
ordering very much helped us. I look forward to seeing the firewall module
get another release and more user uptake.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/-B3-kjpoFvYJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.