Thanks a lot for the example. I managed to make it work. Turns out
that in fw::post my firewall rules need to have the parameter before
=> undef in order to work.

On Tue, Jun 19, 2012 at 4:18 PM, Christian McHugh
<[email protected]> wrote:
> I have this working in our environment as a module, which I will attempt to
> describe.
>
> module: casfirewall
> init.pp
> class casfirewall {
>   include casfirewall::default, casfirewall::fwpre, casfirewall::fwpost
>
>   file {"/etc/iptables":
>     ensure => "directory",
>     owner => "root",
>     group => "root",
>     mode => 700,
>   }
>
>   # Always persist firewall rules
>
>   exec { "persist-firewall":
>     command => $operatingsystem ? {
>       "debian" => "/sbin/iptables-save > /etc/iptables/rules.v4",
>       /(RedHat|CentOS)/ => "/sbin/iptables-save > /etc/sysconfig/iptables",
>     },
>     refreshonly => true,
>     require => File["/etc/iptables"],
>
>   }
>   Firewall {
>     notify => Exec["persist-firewall"],
>     before => Class["casfirewall::fwpost"],
>     require => Class["casfirewall::fwpre"],
>   }
>
>   # Setup firewall resource
>
>   resources { "firewall": purge => true }
> }
>
>
> As you can see, this holds the meat and potatoes by including the Firewall
> notify, before, and require bits.
> The fwpre class contains the initial firewall settings (abbreviated here)
> class casfirewall::fwpre {
>   Firewall {
>     require => undef,
>   }
>
>   firewall { "000 allow outbound":
>     proto => "all",
>     chain => "OUTPUT",
>     action => accept,
>   }...
>
> The fwpost class contains the drop everything else rule. Because of the
> before ordering in init.pp this rule gets applied last (and was the reason
> for starting this thread in the first place)
> class casfirewall::fwpost {
>   firewall {"999 drop all":
>     proto => "all",
>     action => drop,
>     before => undef,
>   }
> }
>
> In our init.pp we also have defined a default class. This contains all the
> rules to open ports to our monitoring servers or backup servers. These get
> applied after the initial pre class, and before the post as you would
> expect.
>
> I hope that helps. The suggestions given in this thread about firewall
> ordering very much helped us. I look forward to seeing the firewall module
> get another release and more user uptake.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/-B3-kjpoFvYJ.
>
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.



-- 
Ioannis Aslanidis

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to