[Puppet Users] Re: Optional loading of firewall rules

Thu, 14 Mar 2013 08:03:37 -0700 


On Wednesday, March 13, 2013 4:30:28 PM UTC-5, [email protected] wrote:
>
> Hi John,
>
> On Wednesday, March 13, 2013 11:51:51 AM UTC-4, jcbollinger wrote:
>>
>> On the flip side, the Firewall resource type provided by that module does 
>> not have any inherent dependency on such classes -- that's all coming from 
>> the global resource defaults you declare.
>>
>
> I understand that the ::pre and ::post dependencies are my own 
> modifications to the resource defaults. If it helps to see where I got this 
> from, I followed the "recommended" configuration from 
> https://forge.puppetlabs.com/puppetlabs/firewall . The dependencies are a 
> red herring and not my real problem.
>
> I will try stating what I want without any assumptions or postulation:
> - Any module can declare its own set of firewall rules
> - These rules are only enforced when a "switch" is flipped on the node
>
> That's all.
>


You are looking for virtual resources.  Here's one way to do it:

# Example class that declares a firewall rule 
class my_server_class ( $listen_port ) {
    # Key point: resource is virtual
    @firewall {'500 my_server_class':
            proto => tcp,
            port => $listen_port,
            action => accept,
    }
}

# Declare this class on nodes that should have the
# FW managed.
class site::firewall_enabled {
    include 'firewall'
    include 'site::firewall_pre'
    include 'site::firewall_post'

    exec { 'persist-firewall':
        command => 'service iptables save',
        refreshonly => true,
    }

    Firewall<| |> {
        require => Class['site::firewall_pre'],
        before => Class['site::firewall_post'],
        notify => Exec['persist-firewall'],
    }

    Firewallchain<| |> {
        notify => Exec['persist-firewall'],
    }

    resources {'firewall': purge => true}
}


node node1 {
  class { 'my_server_class': listen_port => 12345 }

  # turn on the firewall and all configured firewall rules:
  include site::firewall_enabled
}


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to