I''m still a bit noobish with puppet... In short what I want to do is merge puppet managed iptables with dynamically added rules added by some scripts. We have a basic config setup with a template (iptables.erb) and we can add rules to that in manifests. But of course puppet will wipe any changes made from the OS. Any advice on how to get puppet to respect the dynamically loaded rules? Thanks. -G -- ----------------------------------------------- Geoff Galitz, ggalitz@shutterstock.com WebOps Shutterstock Images -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Matt Zagrabelny
2012-Aug-15 19:56 UTC
Re: [Puppet Users] merging iptables rules with puppet
Perhaps put them in a chain of their own? I am not sure if puppet with delete chains. -mz On Wed, Aug 15, 2012 at 1:48 PM, Geoff Galitz <ggalitz@shutterstock.com> wrote:> > I''m still a bit noobish with puppet... > > In short what I want to do is merge puppet managed iptables with dynamically > added rules added by some scripts. We have a basic config setup with a > template (iptables.erb) and we can add rules to that in manifests. But of > course puppet will wipe any changes made from the OS. Any advice on how to > get puppet to respect the dynamically loaded rules? > > Thanks. > -G > > > -- > ----------------------------------------------- > Geoff Galitz, ggalitz@shutterstock.com > WebOps > Shutterstock Images > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
By dynamically loading rules do you mean executing iptables <rule> or are you editing your iptables-save file and then reloading? On Wednesday, August 15, 2012 1:48:44 PM UTC-5, Geoff Galitz wrote:> > > I''m still a bit noobish with puppet... > > In short what I want to do is merge puppet managed iptables with > dynamically added rules added by some scripts. We have a basic config > setup with a template (iptables.erb) and we can add rules to that in > manifests. But of course puppet will wipe any changes made from the OS. > Any advice on how to get puppet to respect the dynamically loaded rules? > > Thanks. > -G > > > -- > ----------------------------------------------- > Geoff Galitz, gga...@shutterstock.com <javascript:> > WebOps > Shutterstock Images > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/VX2Sj8i2-ssJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Geoff Galitz
2012-Aug-15 21:07 UTC
Re: [Puppet Users] Re: merging iptables rules with puppet
We are executing iptables <rule>, not editing the backend files, though we could do that if that were the only option. -G On Wed, Aug 15, 2012 at 4:54 PM, Luke Baker <bakerlu@missouri.edu> wrote:> By dynamically loading rules do you mean executing iptables <rule> or are > you editing your iptables-save file and then reloading? > > > On Wednesday, August 15, 2012 1:48:44 PM UTC-5, Geoff Galitz wrote: > >> >> I''m still a bit noobish with puppet... >> >> In short what I want to do is merge puppet managed iptables with >> dynamically added rules added by some scripts. We have a basic config >> setup with a template (iptables.erb) and we can add rules to that in >> manifests. But of course puppet will wipe any changes made from the OS. >> Any advice on how to get puppet to respect the dynamically loaded rules? >> >> Thanks. >> -G >> >> >> -- >> ------------------------------**----------------- >> Geoff Galitz, gga...@shutterstock.com >> WebOps >> Shutterstock Images >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/VX2Sj8i2-ssJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- ----------------------------------------------- Geoff Galitz, ggalitz@shutterstock.com WebOps Shutterstock Images -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Peter Brown
2012-Aug-16 06:01 UTC
Re: [Puppet Users] Re: merging iptables rules with puppet
Hi, I manage my iptables setup with the concat module and nail together a rules file and then reload it if it''s changed I also have a define setup so other classes can define rules and my firewall class pulls them all in. works well for me because when i remove a class the firewall rull associated with it goes away too. I am intending on putting my modules in githib but have been super busy and haven''t had a chance yet. On 16 August 2012 07:07, Geoff Galitz <ggalitz@shutterstock.com> wrote:> > We are executing iptables <rule>, not editing the backend files, though we > could do that if that were the only option. > > -G > > > On Wed, Aug 15, 2012 at 4:54 PM, Luke Baker <bakerlu@missouri.edu> wrote: >> >> By dynamically loading rules do you mean executing iptables <rule> or are >> you editing your iptables-save file and then reloading? >> >> >> On Wednesday, August 15, 2012 1:48:44 PM UTC-5, Geoff Galitz wrote: >>> >>> >>> I''m still a bit noobish with puppet... >>> >>> In short what I want to do is merge puppet managed iptables with >>> dynamically added rules added by some scripts. We have a basic config setup >>> with a template (iptables.erb) and we can add rules to that in manifests. >>> But of course puppet will wipe any changes made from the OS. Any advice on >>> how to get puppet to respect the dynamically loaded rules? >>> >>> Thanks. >>> -G >>> >>> >>> -- >>> ----------------------------------------------- >>> Geoff Galitz, gga...@shutterstock.com >>> WebOps >>> Shutterstock Images >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/puppet-users/-/VX2Sj8i2-ssJ. >> >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. > > > > > -- > ----------------------------------------------- > Geoff Galitz, ggalitz@shutterstock.com > WebOps > Shutterstock Images > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Justin Ellison
2012-Aug-16 19:27 UTC
Re: [Puppet Users] Re: merging iptables rules with puppet
I can''t say enough good about the puppetlabs-firewall module. They''ve put a lot of work into it, and it works perfectly. https://github.com/puppetlabs/puppetlabs-firewall No need for concat here. Justin On Thursday, August 16, 2012 1:01:01 AM UTC-5, Pete wrote:> > Hi, > > I manage my iptables setup with the concat module and nail together a > rules file and then reload it if it''s changed > I also have a define setup so other classes can define rules and my > firewall class pulls them all in. > works well for me because when i remove a class the firewall rull > associated with it goes away too. > > I am intending on putting my modules in githib but have been super > busy and haven''t had a chance yet. > > On 16 August 2012 07:07, Geoff Galitz <gga...@shutterstock.com<javascript:>> > wrote: > > > > We are executing iptables <rule>, not editing the backend files, though > we > > could do that if that were the only option. > > > > -G > > > > > > On Wed, Aug 15, 2012 at 4:54 PM, Luke Baker <bak...@missouri.edu<javascript:>> > wrote: > >> > >> By dynamically loading rules do you mean executing iptables <rule> or > are > >> you editing your iptables-save file and then reloading? > >> > >> > >> On Wednesday, August 15, 2012 1:48:44 PM UTC-5, Geoff Galitz wrote: > >>> > >>> > >>> I''m still a bit noobish with puppet... > >>> > >>> In short what I want to do is merge puppet managed iptables with > >>> dynamically added rules added by some scripts. We have a basic config > setup > >>> with a template (iptables.erb) and we can add rules to that in > manifests. > >>> But of course puppet will wipe any changes made from the OS. Any > advice on > >>> how to get puppet to respect the dynamically loaded rules? > >>> > >>> Thanks. > >>> -G > >>> > >>> > >>> -- > >>> ----------------------------------------------- > >>> Geoff Galitz, gga...@shutterstock.com > >>> WebOps > >>> Shutterstock Images > >>> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To view this discussion on the web visit > >> https://groups.google.com/d/msg/puppet-users/-/VX2Sj8i2-ssJ. > >> > >> To post to this group, send email to puppet...@googlegroups.com<javascript:>. > > >> To unsubscribe from this group, send email to > >> puppet-users...@googlegroups.com <javascript:>. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > > > > > > > > > > -- > > ----------------------------------------------- > > Geoff Galitz, gga...@shutterstock.com <javascript:> > > WebOps > > Shutterstock Images > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Users" group. > > To post to this group, send email to puppet...@googlegroups.com<javascript:>. > > > To unsubscribe from this group, send email to > > puppet-users...@googlegroups.com <javascript:>. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/2RiSuyvxkAwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I have an open issue against it, but otherwise I agree. http://projects.puppetlabs.com/issues/14413 If I could come up with a workaround for this, I would be a very happy camper. “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) ----- Original Message ----- From: "Justin Ellison" <justin@techadvise.com> To: puppet-users@googlegroups.com Sent: Thursday, August 16, 2012 3:27:52 PM Subject: Re: [Puppet Users] Re: merging iptables rules with puppet I can''t say enough good about the puppetlabs-firewall module. They''ve put a lot of work into it, and it works perfectly. https://github.com/puppetlabs/puppetlabs-firewall No need for concat here. Justin On Thursday, August 16, 2012 1:01:01 AM UTC-5, Pete wrote: Hi, I manage my iptables setup with the concat module and nail together a rules file and then reload it if it''s changed I also have a define setup so other classes can define rules and my firewall class pulls them all in. works well for me because when i remove a class the firewall rull associated with it goes away too. I am intending on putting my modules in githib but have been super busy and haven''t had a chance yet. On 16 August 2012 07:07, Geoff Galitz < gga...@shutterstock.com > wrote:> > We are executing iptables <rule>, not editing the backend files, though we > could do that if that were the only option. > > -G > > > On Wed, Aug 15, 2012 at 4:54 PM, Luke Baker < bak...@missouri.edu > wrote: >> >> By dynamically loading rules do you mean executing iptables <rule> or are >> you editing your iptables-save file and then reloading? >> >> >> On Wednesday, August 15, 2012 1:48:44 PM UTC-5, Geoff Galitz wrote: >>> >>> >>> I''m still a bit noobish with puppet... >>> >>> In short what I want to do is merge puppet managed iptables with >>> dynamically added rules added by some scripts. We have a basic config setup >>> with a template (iptables.erb) and we can add rules to that in manifests. >>> But of course puppet will wipe any changes made from the OS. Any advice on >>> how to get puppet to respect the dynamically loaded rules? >>> >>> Thanks. >>> -G >>> >>> >>> -- >>> ----------------------------------------------- >>> Geoff Galitz, gga...@shutterstock.com >>> WebOps >>> Shutterstock Images >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/puppet-users/-/VX2Sj8i2-ssJ . >> >> To post to this group, send email to puppet...@googlegroups.com . >> To unsubscribe from this group, send email to >> puppet-users...@googlegroups.com . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en . > > > > > -- > ----------------------------------------------- > Geoff Galitz, gga...@shutterstock.com > WebOps > Shutterstock Images > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet...@googlegroups.com . > To unsubscribe from this group, send email to > puppet-users...@googlegroups.com . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en .-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/2RiSuyvxkAwJ . To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Peter Brown
2012-Aug-19 23:49 UTC
Re: [Puppet Users] Re: merging iptables rules with puppet
I have been meaning to have a look at that one and see if it will work for what I need. I have likely put it off because I am always too busy and my firewall module works. I also like having the rules go away automagically if they aren''t needed any more. On 17 August 2012 05:27, Justin Ellison <justin@techadvise.com> wrote:> I can''t say enough good about the puppetlabs-firewall module. They''ve put a > lot of work into it, and it works perfectly. > > https://github.com/puppetlabs/puppetlabs-firewall > > No need for concat here. > > Justin > > > On Thursday, August 16, 2012 1:01:01 AM UTC-5, Pete wrote: >> >> Hi, >> >> I manage my iptables setup with the concat module and nail together a >> rules file and then reload it if it''s changed >> I also have a define setup so other classes can define rules and my >> firewall class pulls them all in. >> works well for me because when i remove a class the firewall rull >> associated with it goes away too. >> >> I am intending on putting my modules in githib but have been super >> busy and haven''t had a chance yet. >> >> On 16 August 2012 07:07, Geoff Galitz <gga...@shutterstock.com> wrote: >> > >> > We are executing iptables <rule>, not editing the backend files, though >> > we >> > could do that if that were the only option. >> > >> > -G >> > >> > >> > On Wed, Aug 15, 2012 at 4:54 PM, Luke Baker <bak...@missouri.edu> wrote: >> >> >> >> By dynamically loading rules do you mean executing iptables <rule> or >> >> are >> >> you editing your iptables-save file and then reloading? >> >> >> >> >> >> On Wednesday, August 15, 2012 1:48:44 PM UTC-5, Geoff Galitz wrote: >> >>> >> >>> >> >>> I''m still a bit noobish with puppet... >> >>> >> >>> In short what I want to do is merge puppet managed iptables with >> >>> dynamically added rules added by some scripts. We have a basic config >> >>> setup >> >>> with a template (iptables.erb) and we can add rules to that in >> >>> manifests. >> >>> But of course puppet will wipe any changes made from the OS. Any >> >>> advice on >> >>> how to get puppet to respect the dynamically loaded rules? >> >>> >> >>> Thanks. >> >>> -G >> >>> >> >>> >> >>> -- >> >>> ----------------------------------------------- >> >>> Geoff Galitz, gga...@shutterstock.com >> >>> WebOps >> >>> Shutterstock Images >> >>> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "Puppet Users" group. >> >> To view this discussion on the web visit >> >> https://groups.google.com/d/msg/puppet-users/-/VX2Sj8i2-ssJ. >> >> >> >> To post to this group, send email to puppet...@googlegroups.com. >> >> To unsubscribe from this group, send email to >> >> puppet-users...@googlegroups.com. >> >> For more options, visit this group at >> >> http://groups.google.com/group/puppet-users?hl=en. >> > >> > >> > >> > >> > -- >> > ----------------------------------------------- >> > Geoff Galitz, gga...@shutterstock.com >> > WebOps >> > Shutterstock Images >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Puppet Users" group. >> > To post to this group, send email to puppet...@googlegroups.com. >> > To unsubscribe from this group, send email to >> > puppet-users...@googlegroups.com. >> > For more options, visit this group at >> > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/2RiSuyvxkAwJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.