Chris O''Donnell
2012-Mar-15 22:39 UTC
[Puppet Users] is there a way to make the puppetlabs/firewall module implement the iptables -P flag?
With our current iptables rules, we implement the following in a script: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT Then the script continues on and does the rest of the rules. some custom policies, etc.Now we''re moving to Puppet and trying to replace all of our scripts. From what I can tell, the puppetlabs/firewall module doesn''t allow a way to set the default policy for a default chain. By default, the puppetlabs/firewall module sets it as: INPUT ACCEPT FORWARD ACCEPT OUTPUT ACCEPT I''ve tried going through the module to implement this, but my Ruby skills aren''t there yet. As this would be the default in all of our rules, I don''t need a full implementation (i.e. able to set this from a pp file), I just need to be able to set it as the default for all iptables settings. Anyone have a hack (ugly or not) to implement this? I''m looking at other firewall modules, but this one is pretty slick, and would like to use this one (albeit with this modification) if possible. Additional info (in case it matters) Server: - Debian squeeze (stable) - Puppetmaster: 2.7.6 (from squeeze-backports) - puppetlabs/firewall version 0.0.4 (current version on Puppetforge) Clients: - Debian squeeze (stable) - puppet client version 2.6.2 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit groups.google.com/d/msg/puppet-users/-/-8H6p_Mf-kMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
Krzysztof Wilczynski
2012-Mar-15 23:25 UTC
[Puppet Users] Re: is there a way to make the puppetlabs/firewall module implement the iptables -P flag?
Hi, [...]> Anyone have a hack (ugly or not) to implement this? >A hack? Um. projects.puppetlabs.com/issues/10162 projects.puppetlabs.com/issues/10958 github.com/puppetlabs/puppetlabs-firewall/pull/59 It will probably be there in the near future. KW -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit groups.google.com/d/msg/puppet-users/-/KY3n3OZLUvwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
Dan Carley
2012-Mar-16 11:47 UTC
Re: [Puppet Users] is there a way to make the puppetlabs/firewall module implement the iptables -P flag?
On 15 March 2012 22:39, Chris O''Donnell <chodonne@gmail.com> wrote:> With our current iptables rules, we implement the following in a script: > > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > > Then the script continues on and does the rest of the rules. some custom > policies, etc.Now we''re moving to Puppet and trying to replace all of our > scripts. From what I can tell, the puppetlabs/firewall module doesn''t allow > a way to set the default policy for a default chain. By default, the > puppetlabs/firewall module sets it as: > > INPUT ACCEPT > FORWARD ACCEPT > OUTPUT ACCEPT > > I''ve tried going through the module to implement this, but my Ruby skills > aren''t there yet. As this would be the default in all of our rules, I don''t > need a full implementation (i.e. able to set this from a pp file), I just > need to be able to set it as the default for all iptables settings. Anyone > have a hack (ugly or not) to implement this? I''m looking at other firewall > modules, but this one is pretty slick, and would like to use this one > (albeit with this modification) if possible. >You can achieve the same effect with a default DROP/DENY rule at the end of your chain. I have some fondness for this approach, being one of the many hapless sysadmins that has once locked themselves out of a machine by running "iptables -F" without paying attention to the policy defaults. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
Chris O''Donnell
2012-Mar-16 22:09 UTC
[Puppet Users] Re: is there a way to make the puppetlabs/firewall module implement the iptables -P flag?
FYI, I downloaded the following branch this morning: git clone -b ticket/10162-firewallchain_support_for_merge git://github.com/kbarber/puppetlabs-firewall.git and found a bug where the args for iptables were being fed to it in the wrong order. I made the following patch, and emailed it to Ken: --- iptables_chain.rb.orig 2012-03-16 17:14:29.000000000 -0400 +++ iptables_chain.rb 2012-03-16 16:31:40.000000000 -0400 @@ -73,7 +73,7 @@ def policy=(value) return if value == :empty - allvalidchains do |t, table, chain| + allvalidchains do |t, chain, table| p = [''-t'',table,''-P'',chain,value.to_s.upcase] debug "[set policy] #{t} #{p}" t.call p -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit groups.google.com/d/msg/puppet-users/-/au2Hh_Jc480J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.
Krzysztof Wilczynski
2012-Mar-16 22:28 UTC
[Puppet Users] Re: is there a way to make the puppetlabs/firewall module implement the iptables -P flag?
HI Chris, Awesome, +1 :) KW On Friday, 16 March 2012 22:09:34 UTC, Chris O''Donnell wrote:> > FYI, I downloaded the following branch this morning: > > git clone -b ticket/10162-firewallchain_support_for_merge git:// > github.com/kbarber/puppetlabs-firewall.git > > and found a bug where the args for iptables were being fed to it in the > wrong order. I made the following patch, and emailed it to Ken: > > --- iptables_chain.rb.orig 2012-03-16 17:14:29.000000000 -0400 > +++ iptables_chain.rb 2012-03-16 16:31:40.000000000 -0400 > @@ -73,7 +73,7 @@ > > def policy=(value) > return if value == :empty > - allvalidchains do |t, table, chain| > + allvalidchains do |t, chain, table| > p = [''-t'',table,''-P'',chain,value.to_s.upcase] > debug "[set policy] #{t} #{p}" > t.call p > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit groups.google.com/d/msg/puppet-users/-/Ke1j5IhgztcJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.