Iv been going through a multitude of firewall modules not being able to find a simple module that open and closes ports on Redhat/Centos 5.6 All the modules that iv tried keep open ports multiple times (each time puppet agent runs): ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "Allow clarity" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "JMS port" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 1099 -m comment --comment "Allow rmi" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 9999 -m comment --comment "Allow jmx" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 9999 -m comment --comment "Allow jmx" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "JMS port" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 55672 -m comment --comment "Allowing rabbit managment port" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 1099 -m comment --comment "Allow rmi" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "Allow clarity" -m state --state NEW -j ACCEPT Among the modules iv tried: https://github.com/pdeaudney/puppet-firewall https://github.com/puppetlabs/puppetlabs-firewall Iv also tried: https://github.com/duritong/puppet-shorewall And didn''t manager to get it going, Id be grateful to Any reference to a simple working Redhat/Centos module Ronen -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> Among the modules iv tried: > > https://github.com/puppetlabs/puppetlabs-firewallWhat was the problem you had with this module? ken. -- "Join us for PuppetConf, September 22nd and 23rd in Portland, OR: http://bit.ly/puppetconfsig" -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
FYI I don''t know it it may be useful , but I''ve done this: https://github.com/example42/puppet-modules/tree/master/iptables which can be used in 2 ways: - a "standard" iptable-save approach (set $iptables_config = "file" before to enable it) with rules file defined in https://github.com/example42/puppet-modules/blob/master/iptables/manifests/file.pp (here you have to add source or content arguments to mange it with static files or templates according to your need) - an "automatic" way (default option when you include the module) that dymanically builds iptables rules according to the modules you include and the iptables related variables you set (see the README) This actually works if you use the Example42 modules (or at least the firewall defines included in each one). It''s quite nice to see it working adding or removing dynamically but, I must admin, is a bit resource intensive (a puppet resoutce for each dymanic rule). Regards Al @ Lab42 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/KSn4hF687gQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I have been working on doing something similar to this. We want to abstract for multiple OS''s and deal with the joy that is Solaris zones. Essentially, it will be a resource that defines the fw rules in XML and then a script takes all of those definitions and creates a complete set of firewall rules. I am waiting to hear back on our code release policy to see what it takes to release it once I am done. -- cwebber On Jul 10, 2011, at 12:32 PM, Alessandro Franceschi wrote:> FYI > I don''t know it it may be useful , but I''ve done this: > https://github.com/example42/puppet-modules/tree/master/iptables > which can be used in 2 ways: > - a "standard" iptable-save approach (set $iptables_config = "file" before to enable it) with rules file defined in https://github.com/example42/puppet-modules/blob/master/iptables/manifests/file.pp > (here you have to add source or content arguments to mange it with static files or templates according to your need) > - an "automatic" way (default option when you include the module) that dymanically builds iptables rules according to the modules you include and the iptables related variables you set (see the README) > This actually works if you use the Example42 modules (or at least the firewall defines included in each one). > It''s quite nice to see it working adding or removing dynamically but, I must admin, is a bit resource intensive (a puppet resoutce for each dymanic rule). > > Regards > Al @ Lab42 > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/KSn4hF687gQJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hey Ken, the main issue was that the provider wasn''t detecting existing rules but instead kept adding them in, another issue is that the rules aren''t persistent (restarting the service clears them out), Alessandro ill check it out thanks! Ronen On Sun, Jul 10, 2011 at 10:38 PM, Christopher Webber <kgbbelmont@gmail.com>wrote:> I have been working on doing something similar to this. We want to abstract > for multiple OS''s and deal with the joy that is Solaris zones. > > Essentially, it will be a resource that defines the fw rules in XML and > then a script takes all of those definitions and creates a complete set of > firewall rules. > > I am waiting to hear back on our code release policy to see what it takes > to release it once I am done. > > -- cwebber > > On Jul 10, 2011, at 12:32 PM, Alessandro Franceschi wrote: > > FYI > I don''t know it it may be useful , but I''ve done this: > https://github.com/example42/puppet-modules/tree/master/iptables > which can be used in 2 ways: > - a "standard" iptable-save approach (set $iptables_config = "file" before > to enable it) with rules file defined in > https://github.com/example42/puppet-modules/blob/master/iptables/manifests/file.pp > (here you have to add source or content arguments to mange it with static > files or templates according to your need) > - an "automatic" way (default option when you include the module) that > dymanically builds iptables rules according to the modules you include and > the iptables related variables you set (see the README) > This actually works if you use the Example42 modules (or at least the > firewall defines included in each one). > It''s quite nice to see it working adding or removing dynamically but, I > must admin, is a bit resource intensive (a puppet resoutce for each dymanic > rule). > > Regards > Al @ Lab42 > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/KSn4hF687gQJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Ronen,
Making the rules persistent is a matter of running iptables-save
afterwards. If you drop this in your top scope it should work:
exec { "persist-firewall":
command => $operatingsystem ? {
"debian" => "/sbin/iptables >
/etc/iptables/rules.v4",
/(RedHat|CentOS)/ => "/sbin/iptables >
/etc/sysconfig/iptables",
}
refreshonly => true,
}
Firewall {
notify => Exec["persist-firewall"]
}
Can you raise a bug on the other issue about not detecting existing
rules? I''d appreciate being able to see any problematic rules (after
your own scrubbing of course). We''ll then be able to try and fix it
for you.
https://github.com/puppetlabs/puppetlabs-firewall/issues
Alessandro''s suggestions still hold true about applying firewall rules
with related classes. I''m a big fan of this methodology instead of
having a long list of rules. This is why a firewall type that handles
individual rules is a good approach.
ken.
On Sun, Jul 10, 2011 at 9:54 PM, Ronen Narkis <narkisr@gmail.com>
wrote:> Hey Ken, the main issue was that the provider wasn''t detecting
existing
> rules but instead kept adding them in, another issue is that the rules
> aren''t persistent (restarting the service clears them out),
>
> Alessandro ill check it out thanks!
>
> Ronen
>
>
>
> On Sun, Jul 10, 2011 at 10:38 PM, Christopher Webber
<kgbbelmont@gmail.com>
> wrote:
>>
>> I have been working on doing something similar to this. We want to
>> abstract for multiple OS''s and deal with the joy that is
Solaris zones.
>> Essentially, it will be a resource that defines the fw rules in XML and
>> then a script takes all of those definitions and creates a complete set
of
>> firewall rules.
>> I am waiting to hear back on our code release policy to see what it
takes
>> to release it once I am done.
>> -- cwebber
>> On Jul 10, 2011, at 12:32 PM, Alessandro Franceschi wrote:
>>
>> FYI
>> I don''t know it it may be useful , but I''ve done
this:
>> https://github.com/example42/puppet-modules/tree/master/iptables
>> which can be used in 2 ways:
>> - a "standard" iptable-save approach (set $iptables_config =
"file" before
>> to enable it) with rules file defined in
>>
https://github.com/example42/puppet-modules/blob/master/iptables/manifests/file.pp
>> (here you have to add source or content arguments to mange it with
static
>> files or templates according to your need)
>> - an "automatic" way (default option when you include the
module) that
>> dymanically builds iptables rules according to the modules you include
and
>> the iptables related variables you set (see the README)
>> This actually works if you use the Example42 modules (or at least the
>> firewall defines included in each one).
>> It''s quite nice to see it working adding or removing
dynamically but, I
>> must admin, is a bit resource intensive (a puppet resoutce for each
dymanic
>> rule).
>>
>> Regards
>> Al @ Lab42
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msg/puppet-users/-/KSn4hF687gQJ.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
"Join us for PuppetConf, September 22nd and 23rd in Portland, OR:
http://bit.ly/puppetconfsig"
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Just did, Thank you! Ronen On Mon, Jul 11, 2011 at 1:50 AM, Ken Barber <ken@puppetlabs.com> wrote:> Hi Ronen, > > Making the rules persistent is a matter of running iptables-save > afterwards. If you drop this in your top scope it should work: > > exec { "persist-firewall": > command => $operatingsystem ? { > "debian" => "/sbin/iptables > /etc/iptables/rules.v4", > /(RedHat|CentOS)/ => "/sbin/iptables > /etc/sysconfig/iptables", > } > refreshonly => true, > } > Firewall { > notify => Exec["persist-firewall"] > } > > Can you raise a bug on the other issue about not detecting existing > rules? I''d appreciate being able to see any problematic rules (after > your own scrubbing of course). We''ll then be able to try and fix it > for you. > > https://github.com/puppetlabs/puppetlabs-firewall/issues > > Alessandro''s suggestions still hold true about applying firewall rules > with related classes. I''m a big fan of this methodology instead of > having a long list of rules. This is why a firewall type that handles > individual rules is a good approach. > > ken. > > On Sun, Jul 10, 2011 at 9:54 PM, Ronen Narkis <narkisr@gmail.com> wrote: > > Hey Ken, the main issue was that the provider wasn''t detecting existing > > rules but instead kept adding them in, another issue is that the rules > > aren''t persistent (restarting the service clears them out), > > > > Alessandro ill check it out thanks! > > > > Ronen > > > > > > > > On Sun, Jul 10, 2011 at 10:38 PM, Christopher Webber < > kgbbelmont@gmail.com> > > wrote: > >> > >> I have been working on doing something similar to this. We want to > >> abstract for multiple OS''s and deal with the joy that is Solaris zones. > >> Essentially, it will be a resource that defines the fw rules in XML and > >> then a script takes all of those definitions and creates a complete set > of > >> firewall rules. > >> I am waiting to hear back on our code release policy to see what it > takes > >> to release it once I am done. > >> -- cwebber > >> On Jul 10, 2011, at 12:32 PM, Alessandro Franceschi wrote: > >> > >> FYI > >> I don''t know it it may be useful , but I''ve done this: > >> https://github.com/example42/puppet-modules/tree/master/iptables > >> which can be used in 2 ways: > >> - a "standard" iptable-save approach (set $iptables_config = "file" > before > >> to enable it) with rules file defined in > >> > https://github.com/example42/puppet-modules/blob/master/iptables/manifests/file.pp > >> (here you have to add source or content arguments to mange it with > static > >> files or templates according to your need) > >> - an "automatic" way (default option when you include the module) that > >> dymanically builds iptables rules according to the modules you include > and > >> the iptables related variables you set (see the README) > >> This actually works if you use the Example42 modules (or at least the > >> firewall defines included in each one). > >> It''s quite nice to see it working adding or removing dynamically but, I > >> must admin, is a bit resource intensive (a puppet resoutce for each > dymanic > >> rule). > >> > >> Regards > >> Al @ Lab42 > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To view this discussion on the web visit > >> https://groups.google.com/d/msg/puppet-users/-/KSn4hF687gQJ. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscribe@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscribe@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > "Join us for PuppetConf, September 22nd and 23rd in Portland, OR: > http://bit.ly/puppetconfsig" > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hey Alessandro the module works well, one issue that I had is that once
rules were applied the iptables service wasn''t restarted, iv dug
through the
code and indeed saw the notify under rule.pp:
concat::fragment{ "iptables_rule_$name":
target => "${iptables::params::configfile}",
content => "$command $chain $true_rule -j $target\n",
order => $true_order,
ensure => $ensure,
notify => Service["iptables"],
}
My guess is that the notify should be defined deeper in the defined
resource?
The only way I was able to make it restart was to use:
File["/etc/sysconfig/iptables"] ~> Service[iptables]
Ronen
On Mon, Jul 11, 2011 at 12:59 PM, Ronen Narkis <narkisr@gmail.com> wrote:
> Just did,
>
> Thank you!
> Ronen
>
>
> On Mon, Jul 11, 2011 at 1:50 AM, Ken Barber <ken@puppetlabs.com>
wrote:
>
>> Hi Ronen,
>>
>> Making the rules persistent is a matter of running iptables-save
>> afterwards. If you drop this in your top scope it should work:
>>
>> exec { "persist-firewall":
>> command => $operatingsystem ? {
>> "debian" => "/sbin/iptables >
/etc/iptables/rules.v4",
>> /(RedHat|CentOS)/ => "/sbin/iptables >
/etc/sysconfig/iptables",
>> }
>> refreshonly => true,
>> }
>> Firewall {
>> notify => Exec["persist-firewall"]
>> }
>>
>> Can you raise a bug on the other issue about not detecting existing
>> rules? I''d appreciate being able to see any problematic rules
(after
>> your own scrubbing of course). We''ll then be able to try and
fix it
>> for you.
>>
>> https://github.com/puppetlabs/puppetlabs-firewall/issues
>>
>> Alessandro''s suggestions still hold true about applying
firewall rules
>> with related classes. I''m a big fan of this methodology
instead of
>> having a long list of rules. This is why a firewall type that handles
>> individual rules is a good approach.
>>
>> ken.
>>
>> On Sun, Jul 10, 2011 at 9:54 PM, Ronen Narkis <narkisr@gmail.com>
wrote:
>> > Hey Ken, the main issue was that the provider wasn''t
detecting existing
>> > rules but instead kept adding them in, another issue is that the
rules
>> > aren''t persistent (restarting the service clears them
out),
>> >
>> > Alessandro ill check it out thanks!
>> >
>> > Ronen
>> >
>> >
>> >
>> > On Sun, Jul 10, 2011 at 10:38 PM, Christopher Webber <
>> kgbbelmont@gmail.com>
>> > wrote:
>> >>
>> >> I have been working on doing something similar to this. We
want to
>> >> abstract for multiple OS''s and deal with the joy that
is Solaris zones.
>> >> Essentially, it will be a resource that defines the fw rules
in XML and
>> >> then a script takes all of those definitions and creates a
complete set
>> of
>> >> firewall rules.
>> >> I am waiting to hear back on our code release policy to see
what it
>> takes
>> >> to release it once I am done.
>> >> -- cwebber
>> >> On Jul 10, 2011, at 12:32 PM, Alessandro Franceschi wrote:
>> >>
>> >> FYI
>> >> I don''t know it it may be useful , but I''ve
done this:
>> >>
https://github.com/example42/puppet-modules/tree/master/iptables
>> >> which can be used in 2 ways:
>> >> - a "standard" iptable-save approach (set
$iptables_config = "file"
>> before
>> >> to enable it) with rules file defined in
>> >>
>>
https://github.com/example42/puppet-modules/blob/master/iptables/manifests/file.pp
>> >> (here you have to add source or content arguments to mange it
with
>> static
>> >> files or templates according to your need)
>> >> - an "automatic" way (default option when you
include the module) that
>> >> dymanically builds iptables rules according to the modules you
include
>> and
>> >> the iptables related variables you set (see the README)
>> >> This actually works if you use the Example42 modules (or at
least the
>> >> firewall defines included in each one).
>> >> It''s quite nice to see it working adding or removing
dynamically but, I
>> >> must admin, is a bit resource intensive (a puppet resoutce for
each
>> dymanic
>> >> rule).
>> >>
>> >> Regards
>> >> Al @ Lab42
>> >>
>> >> --
>> >> You received this message because you are subscribed to the
Google
>> Groups
>> >> "Puppet Users" group.
>> >> To view this discussion on the web visit
>> >> https://groups.google.com/d/msg/puppet-users/-/KSn4hF687gQJ.
>> >> To post to this group, send email to
puppet-users@googlegroups.com.
>> >> To unsubscribe from this group, send email to
>> >> puppet-users+unsubscribe@googlegroups.com.
>> >> For more options, visit this group at
>> >> http://groups.google.com/group/puppet-users?hl=en.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the
Google
>> Groups
>> >> "Puppet Users" group.
>> >> To post to this group, send email to
puppet-users@googlegroups.com.
>> >> To unsubscribe from this group, send email to
>> >> puppet-users+unsubscribe@googlegroups.com.
>> >> For more options, visit this group at
>> >> http://groups.google.com/group/puppet-users?hl=en.
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "Puppet Users" group.
>> > To post to this group, send email to
puppet-users@googlegroups.com.
>> > To unsubscribe from this group, send email to
>> > puppet-users+unsubscribe@googlegroups.com.
>> > For more options, visit this group at
>> > http://groups.google.com/group/puppet-users?hl=en.
>> >
>>
>>
>>
>> --
>> "Join us for PuppetConf, September 22nd and 23rd in Portland, OR:
>> http://bit.ly/puppetconfsig"
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Thanks for the feedback and the bug report, Ronen. I''ll check it.. On Monday, July 11, 2011 3:28:27 PM UTC+2, Ronen wrote:> > Hey Alessandro the module works well, one issue that I had is that once > rules were applied the iptables service wasn''t restarted, iv dug through the > code and indeed saw the notify under rule.pp: > > concat::fragment{ "iptables_rule_$name": > target => "${iptables::params::configfile}", > content => "$command $chain $true_rule -j $target\n", > order => $true_order, > ensure => $ensure, > notify => Service["iptables"], > } > > My guess is that the notify should be defined deeper in the defined > resource? > > The only way I was able to make it restart was to use: > > File["/etc/sysconfig/iptables"] ~> Service[iptables] > > Ronen > > On Mon, Jul 11, 2011 at 12:59 PM, Ronen Narkis <nar...@gmail.com> wrote: > >> Just did, >> >> Thank you! >> Ronen >> >> >> On Mon, Jul 11, 2011 at 1:50 AM, Ken Barber <k...@puppetlabs.com> wrote: >> >>> Hi Ronen, >>> >>> Making the rules persistent is a matter of running iptables-save >>> afterwards. If you drop this in your top scope it should work: >>> >>> exec { "persist-firewall": >>> command => $operatingsystem ? { >>> "debian" => "/sbin/iptables > /etc/iptables/rules.v4", >>> /(RedHat|CentOS)/ => "/sbin/iptables > /etc/sysconfig/iptables", >>> } >>> refreshonly => true, >>> } >>> Firewall { >>> notify => Exec["persist-firewall"] >>> } >>> >>> Can you raise a bug on the other issue about not detecting existing >>> rules? I''d appreciate being able to see any problematic rules (after >>> your own scrubbing of course). We''ll then be able to try and fix it >>> for you. >>> >>> https://github.com/puppetlabs/puppetlabs-firewall/issues >>> >>> Alessandro''s suggestions still hold true about applying firewall rules >>> with related classes. I''m a big fan of this methodology instead of >>> having a long list of rules. This is why a firewall type that handles >>> individual rules is a good approach. >>> >>> ken. >>> >>> On Sun, Jul 10, 2011 at 9:54 PM, Ronen Narkis <nar...@gmail.com> wrote: >>> > Hey Ken, the main issue was that the provider wasn''t detecting existing >>> > rules but instead kept adding them in, another issue is that the rules >>> > aren''t persistent (restarting the service clears them out), >>> > >>> > Alessandro ill check it out thanks! >>> > >>> > Ronen >>> > >>> > >>> > >>> > On Sun, Jul 10, 2011 at 10:38 PM, Christopher Webber < >>> kgbbe...@gmail.com> >>> > wrote: >>> >> >>> >> I have been working on doing something similar to this. We want to >>> >> abstract for multiple OS''s and deal with the joy that is Solaris >>> zones. >>> >> Essentially, it will be a resource that defines the fw rules in XML >>> and >>> >> then a script takes all of those definitions and creates a complete >>> set of >>> >> firewall rules. >>> >> I am waiting to hear back on our code release policy to see what it >>> takes >>> >> to release it once I am done. >>> >> -- cwebber >>> >> On Jul 10, 2011, at 12:32 PM, Alessandro Franceschi wrote: >>> >> >>> >> FYI >>> >> I don''t know it it may be useful , but I''ve done this: >>> >> https://github.com/example42/puppet-modules/tree/master/iptables >>> >> which can be used in 2 ways: >>> >> - a "standard" iptable-save approach (set $iptables_config = "file" >>> before >>> >> to enable it) with rules file defined in >>> >> >>> https://github.com/example42/puppet-modules/blob/master/iptables/manifests/file.pp >>> >> (here you have to add source or content arguments to mange it with >>> static >>> >> files or templates according to your need) >>> >> - an "automatic" way (default option when you include the module) that >>> >> dymanically builds iptables rules according to the modules you include >>> and >>> >> the iptables related variables you set (see the README) >>> >> This actually works if you use the Example42 modules (or at least the >>> >> firewall defines included in each one). >>> >> It''s quite nice to see it working adding or removing dynamically but, >>> I >>> >> must admin, is a bit resource intensive (a puppet resoutce for each >>> dymanic >>> >> rule). >>> >> >>> >> Regards >>> >> Al @ Lab42 >>> >> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> Groups >>> >> "Puppet Users" group. >>> >> To view this discussion on the web visit >>> >> https://groups.google.com/d/msg/puppet-users/-/KSn4hF687gQJ. >>> >> To post to this group, send email to puppet...@googlegroups.com. >>> >> To unsubscribe from this group, send email to >>> >> puppet-users...@googlegroups.com. >>> >> For more options, visit this group at >>> >> http://groups.google.com/group/puppet-users?hl=en. >>> >> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> Groups >>> >> "Puppet Users" group. >>> >> To post to this group, send email to puppet...@googlegroups.com. >>> >> To unsubscribe from this group, send email to >>> >> puppet-users...@googlegroups.com. >>> >> For more options, visit this group at >>> >> http://groups.google.com/group/puppet-users?hl=en. >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "Puppet Users" group. >>> > To post to this group, send email to puppet...@googlegroups.com. >>> > To unsubscribe from this group, send email to >>> > puppet-users...@googlegroups.com. >>> > For more options, visit this group at >>> > http://groups.google.com/group/puppet-users?hl=en. >>> > >>> >>> >>> >>> -- >>> "Join us for PuppetConf, September 22nd and 23rd in Portland, OR: >>> http://bit.ly/puppetconfsig" >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet...@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>> >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/WYBrXIrm0RAJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sun, Jul 10, 2011 at 12:15 PM, Ronen Narkis <narkisr@gmail.com> wrote:> Iv been going through a multitude of firewall modules not being able to > find a simple module that open and closes ports on Redhat/Centos 5.6 > > All the modules that iv tried keep open ports multiple times (each time > puppet agent runs): > > ACCEPT > -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "Allow > clarity" -m state --state NEW -j ACCEPT > -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "JMS port" > -m state --state NEW -j ACCEPT > -A INPUT -p tcp -m multiport --dports 1099 -m comment --comment "Allow rmi" > -m state --state NEW -j ACCEPT > -A INPUT -p tcp -m multiport --dports 9999 -m comment --comment "Allow jmx" > -m state --state NEW -j ACCEPT > -A INPUT -p tcp -m multiport --dports 9999 -m comment --comment "Allow jmx" > -m state --state NEW -j ACCEPT > -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "JMS port" > -m state --state NEW -j ACCEPT > -A INPUT -p tcp -m multiport --dports 55672 -m comment --comment "Allowing > rabbit managment port" -m state --state NEW -j ACCEPT > -A INPUT -p tcp -m multiport --dports 1099 -m comment --comment "Allow rmi" > -m state --state NEW -j ACCEPT > -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "Allow > clarity" -m state --state NEW -j ACCEPT > > Among the modules iv tried: > > https://github.com/pdeaudney/puppet-firewall > https://github.com/puppetlabs/puppetlabs-firewall > > Iv also tried: > > https://github.com/duritong/puppet-shorewall > > And didn''t manager to get it going, > > Id be grateful to Any reference to a simple working Redhat/Centos module > > Ronen >I haven''t looked at it closely yet (but I plan to), but I''ve heard good things about this module: https://labs.riseup.net/code/projects/shared-shorewall --> You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- <http://aws.amazon.com/solutions/solution-providers/brandorr/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jonathan Boyett provided a patch for this problem: https://github.com/puppetlabs/puppetlabs-firewall/commit/a7faff6f5b0de882bc720c8eb652d37b85a6b2a8 Looks like the crux of it was a Ruby 1.8.5 compatibility issue: https://github.com/puppetlabs/puppetlabs-firewall/issues/3 Thanks. ken. On Mon, Jul 11, 2011 at 10:59 AM, Ronen Narkis <narkisr@gmail.com> wrote:> Just did, > > Thank you! > Ronen > > On Mon, Jul 11, 2011 at 1:50 AM, Ken Barber <ken@puppetlabs.com> wrote: >> >> Hi Ronen, >> >> Making the rules persistent is a matter of running iptables-save >> afterwards. If you drop this in your top scope it should work: >> >> exec { "persist-firewall": >> command => $operatingsystem ? { >> "debian" => "/sbin/iptables > /etc/iptables/rules.v4", >> /(RedHat|CentOS)/ => "/sbin/iptables > /etc/sysconfig/iptables", >> } >> refreshonly => true, >> } >> Firewall { >> notify => Exec["persist-firewall"] >> } >> >> Can you raise a bug on the other issue about not detecting existing >> rules? I''d appreciate being able to see any problematic rules (after >> your own scrubbing of course). We''ll then be able to try and fix it >> for you. >> >> https://github.com/puppetlabs/puppetlabs-firewall/issues >> >> Alessandro''s suggestions still hold true about applying firewall rules >> with related classes. I''m a big fan of this methodology instead of >> having a long list of rules. This is why a firewall type that handles >> individual rules is a good approach. >> >> ken. >> >> On Sun, Jul 10, 2011 at 9:54 PM, Ronen Narkis <narkisr@gmail.com> wrote: >> > Hey Ken, the main issue was that the provider wasn''t detecting existing >> > rules but instead kept adding them in, another issue is that the rules >> > aren''t persistent (restarting the service clears them out), >> > >> > Alessandro ill check it out thanks! >> > >> > Ronen >> > >> > >> > >> > On Sun, Jul 10, 2011 at 10:38 PM, Christopher Webber >> > <kgbbelmont@gmail.com> >> > wrote: >> >> >> >> I have been working on doing something similar to this. We want to >> >> abstract for multiple OS''s and deal with the joy that is Solaris zones. >> >> Essentially, it will be a resource that defines the fw rules in XML and >> >> then a script takes all of those definitions and creates a complete set >> >> of >> >> firewall rules. >> >> I am waiting to hear back on our code release policy to see what it >> >> takes >> >> to release it once I am done. >> >> -- cwebber >> >> On Jul 10, 2011, at 12:32 PM, Alessandro Franceschi wrote: >> >> >> >> FYI >> >> I don''t know it it may be useful , but I''ve done this: >> >> https://github.com/example42/puppet-modules/tree/master/iptables >> >> which can be used in 2 ways: >> >> - a "standard" iptable-save approach (set $iptables_config = "file" >> >> before >> >> to enable it) with rules file defined in >> >> >> >> https://github.com/example42/puppet-modules/blob/master/iptables/manifests/file.pp >> >> (here you have to add source or content arguments to mange it with >> >> static >> >> files or templates according to your need) >> >> - an "automatic" way (default option when you include the module) that >> >> dymanically builds iptables rules according to the modules you include >> >> and >> >> the iptables related variables you set (see the README) >> >> This actually works if you use the Example42 modules (or at least the >> >> firewall defines included in each one). >> >> It''s quite nice to see it working adding or removing dynamically but, I >> >> must admin, is a bit resource intensive (a puppet resoutce for each >> >> dymanic >> >> rule). >> >> >> >> Regards >> >> Al @ Lab42 >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "Puppet Users" group. >> >> To view this discussion on the web visit >> >> https://groups.google.com/d/msg/puppet-users/-/KSn4hF687gQJ. >> >> To post to this group, send email to puppet-users@googlegroups.com. >> >> To unsubscribe from this group, send email to >> >> puppet-users+unsubscribe@googlegroups.com. >> >> For more options, visit this group at >> >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "Puppet Users" group. >> >> To post to this group, send email to puppet-users@googlegroups.com. >> >> To unsubscribe from this group, send email to >> >> puppet-users+unsubscribe@googlegroups.com. >> >> For more options, visit this group at >> >> http://groups.google.com/group/puppet-users?hl=en. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Puppet Users" group. >> > To post to this group, send email to puppet-users@googlegroups.com. >> > To unsubscribe from this group, send email to >> > puppet-users+unsubscribe@googlegroups.com. >> > For more options, visit this group at >> > http://groups.google.com/group/puppet-users?hl=en. >> > >> >> >> >> -- >> "Join us for PuppetConf, September 22nd and 23rd in Portland, OR: >> http://bit.ly/puppetconfsig" >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- "Join us for PuppetConf, September 22nd and 23rd in Portland, OR: http://bit.ly/puppetconfsig" -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.