Hello all,
We are beginning to implement the Puppetlabs-firewall module and have not
been able to implement a final LOG, DROP rule (our standard policy is LOG
and DROP everything which isn''t explicitly allowed IN or OUT) in
post.pp.
Has anyone been able to implement a post.pp which does a LOG and DROP?
We do something similar to this:
# Chain:
:droplog - [0:0]
# Last INPUT rule
-A INPUT -i eth0 -j droplog
# Last OUTPUT rule
-A OUTPUT -o eth0 -j droplog
# LOG packets, then DROP.
-A droplog -m limit --limit 10/min -j LOG --log-prefix "dropped "
-A droplog -j DROP
From what I''ve read, and tried, it does not seem possible since you can
not
combine an ''action'' and a ''jump''. And you
only redefine the policy for
built-in chains (INBOUND, FORWARD, OUTBOUND, ....) So I can''t write a
custom firewallchain which has a default policy of drop.
To me this should work but it doesn''t because the default action is
''accept'' .. it never hits 999
class firewall::post {
firewallchain {''droplog:filter:IPv4'': ensure =>
''present'', }
firewall { ''997 fwd to droplog'': proto =>
''all'', jump => ''droplog'',
before => undef, }~>
firewall { ''998 droplog'': chain =>
''droplog'', jump => ''LOG'', log_prefix
=> ''dropped '', before => undef, }~>
firewall { ''999 Default Drop'': chain =>
''droplog'', action => ''drop'',
before => undef, }
}
Thanks,
Jim
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/ef6aaff6-6775-4601-9313-75b24011ed50%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.