Puppet 3.x on RHEL 5
I am trying to use this module, but I think I am missing something in the setup.
From https://github.com/puppetlabs/puppetlabs-firewall it says:
With the latest version, we now have in-built persistence, ...you need some
basic setup to define pre & post rules. resources { "firewall":
purge => true
}
Firewall {
before => Class[''my_fw::post''],
require => Class[''my_fw::pre''],
}
class { [''my_fw::pre'', ''my_fw::post'']: }
class { ''firewall'': } In my environment, I am working from a
basenode definition that then gets expanded based on location/role --
internal_server, dmz_server, etc.
So, would I put the resources described above in my basenode ? And then add
node-specific additions in the following node definitions ?
And regarding the mentioned built-in persistence: Does it generate
/etc/sysconfig/iptables ? If not, I will need to add it back in. On our systems,
we depend on that file to persist the firewall across a reboot
Thanks in advance.
“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
> I am trying to use this module, but I think I am missing something in the > setup. > > From https://github.com/puppetlabs/puppetlabs-firewall it says: > > With the latest version, we now have in-built persistence, ...you need some > basic setup to define pre & post rules. > > resources { "firewall": > purge => true > } > Firewall { > before => Class[''my_fw::post''], > require => Class[''my_fw::pre''], > } > class { [''my_fw::pre'', ''my_fw::post'']: } > class { ''firewall'': } > > In my environment, I am working from a basenode definition that then gets > expanded based on location/role -- internal_server, dmz_server, etc. > > So, would I put the resources described above in my basenode ?Yes, or at least somewhere that all the nodes that use the firewall resource can see it.> And then add > node-specific additions in the following node definitions ?Yes this is one way to do it.> And regarding the mentioned built-in persistence: Does it generate > /etc/sysconfig/iptables ? If not, I will need to add it back in. On our > systems, we depend on that file to persist the firewall across a rebootYes, it does. We run ''service iptables save'' for this to take affect on Redhat/Centos. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Excellent !
How about if I do it this way:
class my_fw {
resources { "firewall":
purge => true
}
Firewall {
before => Class[''my_fw::post''],
require => Class[''my_fw::pre''],
}
class { [''my_fw::pre'', ''my_fw::post'']: }
class { ''firewall'': }
}
Then all I need do is put
class {''my_fw'': }
in my node definition. That bundles it up nice and neat.
“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
----- Original Message -----
From: "Ken Barber" <ken@puppetlabs.com>
To: "Puppet Users" <puppet-users@googlegroups.com>
Sent: Wednesday, April 3, 2013 11:59:32 AM
Subject: Re: [Puppet Users] puppetlabs-firewall usage questions
> I am trying to use this module, but I think I am missing something in the
> setup.
>
> From https://github.com/puppetlabs/puppetlabs-firewall it says:
>
> With the latest version, we now have in-built persistence, ...you need some
> basic setup to define pre & post rules.
>
> resources { "firewall":
> purge => true
> }
> Firewall {
> before => Class[''my_fw::post''],
> require => Class[''my_fw::pre''],
> }
> class { [''my_fw::pre'', ''my_fw::post'']:
}
> class { ''firewall'': }
>
> In my environment, I am working from a basenode definition that then gets
> expanded based on location/role -- internal_server, dmz_server, etc.
>
> So, would I put the resources described above in my basenode ?
Yes, or at least somewhere that all the nodes that use the firewall
resource can see it.
> And then add
> node-specific additions in the following node definitions ?
Yes this is one way to do it.
> And regarding the mentioned built-in persistence: Does it generate
> /etc/sysconfig/iptables ? If not, I will need to add it back in. On our
> systems, we depend on that file to persist the firewall across a reboot
Yes, it does. We run ''service iptables save'' for this to take
affect
on Redhat/Centos.
ken.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.