Hello all,

We are beginning to implement the Puppetlabs-firewall module and have not
been able to implement a final LOG, DROP rule (our standard policy is LOG
and DROP everything which isn't explicitly allowed IN or OUT) in post.pp.
Has anyone been able to implement a post.pp which does a LOG and DROP?

We do something similar to this:
# Chain:
:droplog - [0:0]

  # Last INPUT rule
  -A INPUT -i eth0 -j droplog
  # Last OUTPUT rule
  -A OUTPUT -o eth0 -j droplog

  # LOG packets, then DROP.
  -A droplog -m limit --limit 10/min -j LOG --log-prefix "dropped "
  -A droplog -j DROP

From what I've read, and tried, it does not seem possible since you can not
combine an 'action' and a 'jump'. And you only redefine the policy for
built-in chains (INBOUND, FORWARD, OUTBOUND, ....) So I can't write a
custom firewallchain which has a default policy of drop.

To me this should work but it doesn't because the default action is
'accept' .. it never hits 999
class firewall::post {
     firewallchain {'droplog:filter:IPv4': ensure => 'present', }

     firewall { '997 fwd to droplog': proto => 'all', jump => 'droplog',
before => undef, }~>
     firewall { '998 droplog': chain => 'droplog', jump => 'LOG', log_prefix
=> 'dropped ', before => undef, }~>
     firewall { '999 Default Drop': chain => 'droplog', action => 'drop',
before => undef, }


You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ef6aaff6-6775-4601-9313-75b24011ed50%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
postedDec 11, '13 at 10:43p
activeDec 11, '13 at 10:43p

1 user in discussion

Jim Miller: 1 post



site design / logo © 2022 Grokbase