I have a question about "best practices" for the puppet firewall module. I
have pasted my basic config files below and I am curious about a few things.

* The ports that all nodes share in common I am adding to the
modules/my_firewall/manifests/init.pp file, but the ports that are specific
to a node I am adding to the node definition in manifests/site.pp. What
should I do to prevent the firewall rules from becoming unwieldy in my
site.pp file? It is fine if there are only a few ports open, but once I
start adding a lot of ports to the nodes it gets rather big. Any
suggestions, or is it common to have rather large node definitions?

* The documentation says that the number should be between 000..999.
However, I made my post.pp deny rule as 99999 so that I could make the
number the port (makes sense to me and help track which port is for what
purpose; I made it that high because one app has port 27000). The vast
majority of the time I don't care what order the ports are in, just so long
as they appear between the pre and post section. It also helps me remember
which number the rule should be so I don't have duplicate ID numbers. Does
anyone else label the ID this way? Is there a problem with making this ID
so large when the documentation lists the max number as 999 (I am guessing
it was just a large number the author picked at random and not one with
significant meaning, but I am curious)?

Also, a semi-related question since I am posting the configs...Did I do it
right? :-D It works for my test cases so far. Mostly just want to check to
make sure I didn't misunderstand the documentation. So if I missed
something or if I goofed something up, I would appreciate a response.


$ cat manifests/site.pp
node 'puppet.test.domain' {
   include my_firewall
   firewall { '8140 Puppet Master':
       port => 8140,
       proto => 'tcp',
       action => accept,
       state => 'NEW',

$ cat modules/my_firewall/manifests/init.pp
class my_firewall () {
   resources { "firewall": purge => true }
     Firewall {
       before => Class['my_firewall::post'],
       require => Class['my_firewall::pre'],
     firewall { '80 Webserver':
       port => 80,
       proto => 'tcp',
       action => accept,
       state => 'NEW',
     include my_firewall::pre
     include my_firewall::post

$ cat modules/my_firewall/manifests/pre.pp
class my_firewall::pre {
   Firewall { require => undef, }
   firewall { '000 accept all icmp':
     proto => 'icmp',
     action => 'accept',
   firewall { '001 accept all to lo interface':
     proto => 'all',
     iniface => 'lo',
     action => 'accept',
   firewall { '002 accept related established rules':
     proto => 'all',
     state => ['ESTABLISHED' , 'RELATED'],
     action => 'accept',

$ cat modules/my_firewall/manifests/post.pp
class my_firewall::post {
firewall { '99999 drop all':
   proto => 'all',
     action => 'drop',
     before => undef,

You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 3 | next ›
Discussion Overview
grouppuppet-users @
postedJun 27, '13 at 1:48a
activeJun 27, '13 at 12:47p

2 users in discussion

Stack Kororā: 2 posts Ken Barber: 1 post



site design / logo © 2021 Grokbase