I am using the Puppetlabs firewall module to manage our firewall. All
servers get our core ruleset:
*modules/mycompany/manifests/firewall/pre.pp:*
class mycompany::firewall::pre {
Firewall {
require => undef,
}
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
firewall { '002 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
*modules/**mycompany/manifests/firewall/core.pp:*
class mycompany::firewall::core {
firewall { '100 allow SSH':
proto => 'tcp',
port => [22],
action => 'accept',
}
firewall { '101 allow salt-minion communication':
proto => 'tcp',
port => [4505,4506,4510,4511],
action => 'accept',
}
firewall { '102 allow DNS UDP':
proto => 'udp',
port => [53],
action => 'accept',
}
firewall { '103 allow DNS TCP':
proto => 'tcp',
port => [53],
action => 'accept',
}
firewall { '104 allow NTP traffic':
proto => 'udp',
port => [123],
action => 'accept',
}
}
*modules/*
*mycompany/manifests/firewall/post.pp:*
class mycompany::firewall::post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
We also have some rules that are added based on server roles dynamically
via hiera:
*modules/*
*mycompany/manifests/firewall/puppet.pp:*class mycompany::firewall::puppet {
firewall { '105 allow puppet communication':
proto => 'tcp',
port => [8140],
action => 'accept',
}
}
*modules/*
*mycompany/manifests/firewall/database.pp:*class
mycompany::firewall::database {
firewall { '106 allow Percona/MySQL communication':
proto => 'tcp',
port => [3306],
action => 'accept',
}
}
This worked perfectly when I spun up a server with no role (and therefore
no extra rules. However when I spun up servers with the 'puppet' &
'database' roles (and therefore the extra rules) it hung at:
*Notice: /Stage[main]/Mycompany/Firewall[9001
fe701ab7ca74bd49f13b9f0ab39f3254]/ensure: removed*
My SSH session eventually disconnects with a broken pipe. The puppet server
I spun up yesterday was available when I got into the office this morning
so it seems they do eventually come back but it takes some time. Is there
any reason I am getting cut of like that and is there any way to avoid it?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5dc99077-71ca-472a-919b-cbb708f6bd9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
