Chris W
2014-Jan-16 15:40 UTC
[Puppet Users] Strange behavior from puppetforge firewall module
We are using the puppetforge firewall module to lay down 2 sets of rules. The first are a default set laid down in our home grown ssh module's init.pp - firewall { '210 TCP - Accept SSH from XXXXX': state => ['NEW'], proto => 'tcp', dport => $ssh_port, iniface => $ssh_device, source => 'X.X.X.X', action => 'accept', } firewall { '211 TCP - Accept SSH from YYYYY': state => ['NEW'], proto => 'tcp', dport => $ssh_port, iniface => $ssh_device, source => 'Y.Y.Y.Y', action => 'accept', } These rules persist fine., as do these from our iptables pre.pp firewall { '010 ALL - ACCEPT RELATED and ESTABLISHED': proto => 'all', state => ['RELATED', 'ESTABLISHED'], action => 'accept', } # DROP all NetBIOS broadcast firewall { '020 UDP - DROP NetBIOS Traffic': proto => 'udp', port => ['137','138'], action => 'drop', } # ACCEPT all to localhost firewall { '030 ALL - ACCEPT all to localhost': proto => 'all', iniface => 'lo', action => 'accept', } However, the following set laid down from a service module manifests/firewall.pp are flakey - class s_*targetserver*_rh6::firewall { # ACCEPT all to localhost firewall { '213 ALL - ACCEPT all to P2P3 (HeartBeat Link)': proto => 'all', iniface => 'p2p3', action => 'accept', } # Accept ssh from server1 firewall { '216 ALL - ACCEPT AFD monitoring from server1 on management': state => ['NEW'], proto => 'tcp', port => ['4444', '4445', '4446', '4447'], iniface => '*mangement nic*', source => '*server1 IP*', action => 'accept', } # Accept ssh from server2 firewall { '217 ALL - ACCEPT AFD monitoring from server2 on management': state => ['NEW'], proto => 'tcp', port => ['4444', '4445', '4446', '4447'], iniface => '*management nic*', source => '*server2 IP*', action => 'accept', } # Accept ssh from server3 port 4444 firewall { '218 ALL - ACCEPT AFD monitoring from server3 on management': state => ['NEW'], proto => 'tcp', port => ['4444', '4445', '4446', '4447'], iniface => '*management nic*', source => '*server3 IP*', action => 'accept', } # ACCEPT all on BOND1 firewall { '214 ALL - ACCEPT all to BOND1 (DRDB Link)': proto => 'all', iniface => 'bond1', action => 'accept', } # ACCEPT ftp on Data firewall { '215 ALL - ACCEPT FTP on BOND0 (Data Link)': proto => 'tcp', port => '21', iniface => 'bond0', action => 'accept', } } AFD is file distribution software from Deutscher Wetterdienst. If I do iptables -F on the box, these are reliably applied but, during a random Puppet Agent run they are subsequently removed. Later, again at random, they are reapplied. I've just updated the firewall module, so we are running on version 0.4.2. Anyone else seen this sort of behaviour or have any suggestions? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/de09a23b-ae81-46f3-a9c0-80924199b120%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.