Thanks a lot for the example. I managed to make it work. Turns out that in fw::post my firewall rules need to have the parameter before => undef in order to work.
On Tue, Jun 19, 2012 at 4:18 PM, Christian McHugh <[email protected]> wrote: > I have this working in our environment as a module, which I will attempt to > describe. > > module: casfirewall > init.pp > class casfirewall { > include casfirewall::default, casfirewall::fwpre, casfirewall::fwpost > > file {"/etc/iptables": > ensure => "directory", > owner => "root", > group => "root", > mode => 700, > } > > # Always persist firewall rules > > exec { "persist-firewall": > command => $operatingsystem ? { > "debian" => "/sbin/iptables-save > /etc/iptables/rules.v4", > /(RedHat|CentOS)/ => "/sbin/iptables-save > /etc/sysconfig/iptables", > }, > refreshonly => true, > require => File["/etc/iptables"], > > } > Firewall { > notify => Exec["persist-firewall"], > before => Class["casfirewall::fwpost"], > require => Class["casfirewall::fwpre"], > } > > # Setup firewall resource > > resources { "firewall": purge => true } > } > > > As you can see, this holds the meat and potatoes by including the Firewall > notify, before, and require bits. > The fwpre class contains the initial firewall settings (abbreviated here) > class casfirewall::fwpre { > Firewall { > require => undef, > } > > firewall { "000 allow outbound": > proto => "all", > chain => "OUTPUT", > action => accept, > }... > > The fwpost class contains the drop everything else rule. Because of the > before ordering in init.pp this rule gets applied last (and was the reason > for starting this thread in the first place) > class casfirewall::fwpost { > firewall {"999 drop all": > proto => "all", > action => drop, > before => undef, > } > } > > In our init.pp we also have defined a default class. This contains all the > rules to open ports to our monitoring servers or backup servers. These get > applied after the initial pre class, and before the post as you would > expect. > > I hope that helps. The suggestions given in this thread about firewall > ordering very much helped us. I look forward to seeing the firewall module > get another release and more user uptake. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/-B3-kjpoFvYJ. > > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- Ioannis Aslanidis -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
