Chris W
2014-Jan-16 15:40 UTC
[Puppet Users] Strange behavior from puppetforge firewall module
We are using the puppetforge firewall module to lay down 2 sets of rules.
The first are a default set laid down in our home grown ssh module's
init.pp -
firewall { '210 TCP - Accept SSH from XXXXX':
state => ['NEW'],
proto => 'tcp',
dport => $ssh_port,
iniface => $ssh_device,
source => 'X.X.X.X',
action => 'accept',
}
firewall { '211 TCP - Accept SSH from YYYYY':
state => ['NEW'],
proto => 'tcp',
dport => $ssh_port,
iniface => $ssh_device,
source => 'Y.Y.Y.Y',
action => 'accept',
}
These rules persist fine., as do these from our iptables pre.pp
firewall { '010 ALL - ACCEPT RELATED and ESTABLISHED':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
# DROP all NetBIOS broadcast
firewall { '020 UDP - DROP NetBIOS Traffic':
proto => 'udp',
port => ['137','138'],
action => 'drop',
}
# ACCEPT all to localhost
firewall { '030 ALL - ACCEPT all to localhost':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
However, the following set laid down from a service module
manifests/firewall.pp are flakey -
class s_*targetserver*_rh6::firewall {
# ACCEPT all to localhost
firewall { '213 ALL - ACCEPT all to P2P3 (HeartBeat Link)':
proto => 'all',
iniface => 'p2p3',
action => 'accept',
}
# Accept ssh from server1
firewall { '216 ALL - ACCEPT AFD monitoring from server1 on
management':
state => ['NEW'],
proto => 'tcp',
port => ['4444', '4445', '4446',
'4447'],
iniface => '*mangement nic*',
source => '*server1 IP*',
action => 'accept',
}
# Accept ssh from server2
firewall { '217 ALL - ACCEPT AFD monitoring from server2 on
management':
state => ['NEW'],
proto => 'tcp',
port => ['4444', '4445', '4446',
'4447'],
iniface => '*management nic*',
source => '*server2 IP*',
action => 'accept',
}
# Accept ssh from server3 port 4444
firewall { '218 ALL - ACCEPT AFD monitoring from server3 on
management':
state => ['NEW'],
proto => 'tcp',
port => ['4444', '4445', '4446',
'4447'],
iniface => '*management nic*',
source => '*server3 IP*',
action => 'accept',
}
# ACCEPT all on BOND1
firewall { '214 ALL - ACCEPT all to BOND1 (DRDB Link)':
proto => 'all',
iniface => 'bond1',
action => 'accept',
}
# ACCEPT ftp on Data
firewall { '215 ALL - ACCEPT FTP on BOND0 (Data Link)':
proto => 'tcp',
port => '21',
iniface => 'bond0',
action => 'accept',
}
}
AFD is file distribution software from Deutscher Wetterdienst.
If I do iptables -F on the box, these are reliably applied but, during a
random Puppet Agent run they are subsequently removed.
Later, again at random, they are reapplied.
I've just updated the firewall module, so we are running on version 0.4.2.
Anyone else seen this sort of behaviour or have any suggestions?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/de09a23b-ae81-46f3-a9c0-80924199b120%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.