Greetings,
I have a question about "best practices" for the puppet firewall
module. I
have pasted my basic config files below and I am curious about a few things.
* The ports that all nodes share in common I am adding to the
modules/my_firewall/manifests/init.pp file, but the ports that are specific
to a node I am adding to the node definition in manifests/site.pp. What
should I do to prevent the firewall rules from becoming unwieldy in my
site.pp file? It is fine if there are only a few ports open, but once I
start adding a lot of ports to the nodes it gets rather big. Any
suggestions, or is it common to have rather large node definitions?
* The documentation says that the number should be between 000..999.
However, I made my post.pp deny rule as 99999 so that I could make the
number the port (makes sense to me and help track which port is for what
purpose; I made it that high because one app has port 27000). The vast
majority of the time I don''t care what order the ports are in, just so
long
as they appear between the pre and post section. It also helps me remember
which number the rule should be so I don''t have duplicate ID numbers.
Does
anyone else label the ID this way? Is there a problem with making this ID
so large when the documentation lists the max number as 999 (I am guessing
it was just a large number the author picked at random and not one with
significant meaning, but I am curious)?
Also, a semi-related question since I am posting the configs...Did I do it
right? :-D It works for my test cases so far. Mostly just want to check to
make sure I didn''t misunderstand the documentation. So if I missed
something or if I goofed something up, I would appreciate a response.
Thanks!
$ cat manifests/site.pp
node ''puppet.test.domain'' {
include my_firewall
firewall { ''8140 Puppet Master'':
port => 8140,
proto => ''tcp'',
action => accept,
state => ''NEW'',
}
}
$ cat modules/my_firewall/manifests/init.pp
class my_firewall () {
resources { "firewall": purge => true }
Firewall {
before => Class[''my_firewall::post''],
require => Class[''my_firewall::pre''],
}
firewall { ''80 Webserver'':
port => 80,
proto => ''tcp'',
action => accept,
state => ''NEW'',
}
include my_firewall::pre
include my_firewall::post
}
$ cat modules/my_firewall/manifests/pre.pp
class my_firewall::pre {
Firewall { require => undef, }
firewall { ''000 accept all icmp'':
proto => ''icmp'',
action => ''accept'',
}->
firewall { ''001 accept all to lo interface'':
proto => ''all'',
iniface => ''lo'',
action => ''accept'',
}->
firewall { ''002 accept related established rules'':
proto => ''all'',
state => [''ESTABLISHED'' , ''RELATED''],
action => ''accept'',
}
}
$ cat modules/my_firewall/manifests/post.pp
class my_firewall::post {
firewall { ''99999 drop all'':
proto => ''all'',
action => ''drop'',
before => undef,
}
}
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
> * The ports that all nodes share in common I am adding to the > modules/my_firewall/manifests/init.pp file, but the ports that are specific > to a node I am adding to the node definition in manifests/site.pp. What > should I do to prevent the firewall rules from becoming unwieldy in my > site.pp file? It is fine if there are only a few ports open, but once I > start adding a lot of ports to the nodes it gets rather big. Any > suggestions, or is it common to have rather large node definitions?You can of course provide a list of dport/sport''s as an array - however I normally associate a firewall port being opened with a particular class/app and have the firewall definition defined there, then by including the class you get the open port. For example, my mysql module would open port 3306.> * The documentation says that the number should be between 000..999. > However, I made my post.pp deny rule as 99999 so that I could make the > number the port (makes sense to me and help track which port is for what > purpose; I made it that high because one app has port 27000). The vast > majority of the time I don''t care what order the ports are in, just so long > as they appear between the pre and post section. It also helps me remember > which number the rule should be so I don''t have duplicate ID numbers. Does > anyone else label the ID this way? Is there a problem with making this ID so > large when the documentation lists the max number as 999 (I am guessing it > was just a large number the author picked at random and not one with > significant meaning, but I am curious)?Yeah, it was made up - or at least, it was an old range that was changed later on.> Also, a semi-related question since I am posting the configs...Did I do it > right? :-D It works for my test cases so far. Mostly just want to check to > make sure I didn''t misunderstand the documentation. So if I missed something > or if I goofed something up, I would appreciate a response.Looks fine to me. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
On Thursday, June 27, 2013 6:33:37 AM UTC-5, Ken Barber wrote:> > * The ports that all nodes share in common I am adding to the > > modules/my_firewall/manifests/init.pp file, but the ports that are > specific > > to a node I am adding to the node definition in manifests/site.pp. What > > should I do to prevent the firewall rules from becoming unwieldy in my > > site.pp file? It is fine if there are only a few ports open, but once I > > start adding a lot of ports to the nodes it gets rather big. Any > > suggestions, or is it common to have rather large node definitions? > > You can of course provide a list of dport/sport''s as an array -I have been doing that for services with multiple ports. The only service I haven''t figured out out to join in one statement was DNS which requires port 53 with TCP and UDP. When I tried making that an array, it only set TCP and not UDP: proto => [''tcp'',''udp''], When I set it to ''all'' it worked, but I would rather just have two rules then ''all''. ;-) however I normally associate a firewall port being opened with a> particular class/app and have the firewall definition defined there, > then by including the class you get the open port. For example, my > mysql module would open port 3306. >That is a great idea. It also ensures that I don''t forget to open the firewall when I add a module to a new system. [snip]> Yeah, it was made up - or at least, it was an old range that was > changed later on.Great. I just wanted to ensure I wasn''t going to cause myself problems for picking numbers so high. Thanks Ken! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.