Mohamed Lrhazi
2011-Nov-29 21:05 UTC
[Puppet Users] puppetlabs-firewall: source param as array
Hi,
am trying this rule:
firewall { ''100 allow ssh from GUNET'':
proto => ''tcp'',
dport => ''22'',
source =>
[''10.0.0.0/8'',''192.168.0.0/16'',],
action => accept,
}
and it only seems to add a rule for the first subnet. The second is
silently ignored.
is my syntax incorrect?
Thanks,
Mohamed.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Charles Buckley
2011-Nov-29 21:11 UTC
Re: [Puppet Users] puppetlabs-firewall: source param as array
Hello, While I have never used this particular package, I am curious about that trailing comma: source => [''10.0.0.0/8'',''192.168.0.0/16'',], or source => [''10.0.0.0/8'',''192.168.0.0/16''], Charles Buckley On Tue, Nov 29, 2011 at 2:05 PM, Mohamed Lrhazi <lrhazi@gmail.com> wrote:> Hi, > > am trying this rule: > > > firewall { ''100 allow ssh from GUNET'': > proto => ''tcp'', > dport => ''22'', > source => [''10.0.0.0/8'',''192.168.0.0/16'',], > action => accept, > } > > > and it only seems to add a rule for the first subnet. The second is > silently ignored. > > is my syntax incorrect? > > Thanks, > Mohamed. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Steve Traylen
2011-Nov-29 22:22 UTC
Re: [Puppet Users] puppetlabs-firewall: source param as array
On Tue, Nov 29, 2011 at 10:05 PM, Mohamed Lrhazi <lrhazi@gmail.com> wrote:> firewall { ''100 allow ssh from GUNET'': > proto => ''tcp'', > dport => ''22'', > source => [''10.0.0.0/8'',''192.168.0.0/16'',], > action => accept, > } > > > and it only seems to add a rule for the first subnet. The second is > silently ignored.Hi Mohamed, See: http://projects.puppetlabs.com/issues/10116 accepted bug. Steve. -- Steve Traylen -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jacob Helwig
2011-Nov-29 22:23 UTC
Re: [Puppet Users] puppetlabs-firewall: source param as array
On 2011-11-29 13:05 , Mohamed Lrhazi wrote:> Hi, > > am trying this rule: > > > firewall { ''100 allow ssh from GUNET'': > proto => ''tcp'', > dport => ''22'', > source => [''10.0.0.0/8'',''192.168.0.0/16'',], > action => accept, > } > > > and it only seems to add a rule for the first subnet. The second is > silently ignored. > > is my syntax incorrect? > > Thanks, > Mohamed. >The type doesn''t appear to be written to handle accepting arrays in the source property, so given how it''s written it''s expected behavior, though sounds like it''s rather undesirable. -- Jacob Helwig http://about.me/jhelwig
Mohamed Lrhazi
2011-Nov-29 22:25 UTC
Re: [Puppet Users] puppetlabs-firewall: source param as array
Cool. Thanks guys. On Tue, Nov 29, 2011 at 5:23 PM, Jacob Helwig <jacob@puppetlabs.com> wrote:> On 2011-11-29 13:05 , Mohamed Lrhazi wrote: >> Hi, >> >> am trying this rule: >> >> >> firewall { ''100 allow ssh from GUNET'': >> proto => ''tcp'', >> dport => ''22'', >> source => [''10.0.0.0/8'',''192.168.0.0/16'',], >> action => accept, >> } >> >> >> and it only seems to add a rule for the first subnet. The second is >> silently ignored. >> >> is my syntax incorrect? >> >> Thanks, >> Mohamed. >> > > The type doesn''t appear to be written to handle accepting arrays in the > source property, so given how it''s written it''s expected behavior, > though sounds like it''s rather undesirable. > > -- > Jacob Helwig > http://about.me/jhelwig > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Mohamed Lrhazi
2011-Nov-30 00:17 UTC
Re: [Puppet Users] puppetlabs-firewall: source param as array
in case it help someone, I got it too do what I needed this way:
# Allow netbackup
define allow_netbackup() {
firewall { "300 allow netbackup traffic from ${name}":
proto => ''tcp'',
dport => [13724,1556,10102,10082],
source => $name,
action => accept,
}
}
allow_netbackup { $netbackup_master_servers:}
allow_netbackup { $netbackup_media_servers: }
You''re right Jacob. The bug in the module is really a documentation
bug. The doc says it expects an array for source and for destination,
when it should not.
Looking at the code it seems the module cannot provide anything
iptables itself does not, and iptables does not provide for list of
ips/networks in source and dest.
Thanks,
Mohamed.
On Tue, Nov 29, 2011 at 5:25 PM, Mohamed Lrhazi <lrhazi@gmail.com>
wrote:> Cool. Thanks guys.
>
> On Tue, Nov 29, 2011 at 5:23 PM, Jacob Helwig <jacob@puppetlabs.com>
wrote:
>> On 2011-11-29 13:05 , Mohamed Lrhazi wrote:
>>> Hi,
>>>
>>> am trying this rule:
>>>
>>>
>>> firewall { ''100 allow ssh from GUNET'':
>>> proto => ''tcp'',
>>> dport => ''22'',
>>> source =>
[''10.0.0.0/8'',''192.168.0.0/16'',],
>>> action => accept,
>>> }
>>>
>>>
>>> and it only seems to add a rule for the first subnet. The second is
>>> silently ignored.
>>>
>>> is my syntax incorrect?
>>>
>>> Thanks,
>>> Mohamed.
>>>
>>
>> The type doesn''t appear to be written to handle accepting
arrays in the
>> source property, so given how it''s written it''s
expected behavior,
>> though sounds like it''s rather undesirable.
>>
>> --
>> Jacob Helwig
>> http://about.me/jhelwig
>>
>>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.