Moving from puppet-iptables to puppet-firewall
by actionjack on February 3, 2012 | 3 comments
After months of procrastination I finally migrated from puppet-iptables to puppet-firewall and I’m so glad that I did!
I’m beginning to see what Ken Barber (@ken_barber) was hinting at when he told me at the last EU Devops Days conference that configuring linux firewalls was just tip of the iceberg, I can now see the path of it being used to configure Cisco and Juniper based firewalls eventually.
To get the puppet-firewall module working for me out of the box I had to add the following to my site.pp
command => '/sbin/iptables -F',
refreshonly => true,
}
exec { 'persist-firewall':
command => '/sbin/iptables-save >/etc/sysconfig/iptables',
refreshonly => true,
}
Firewall {
subscribe => Exec['clear-firewall'],
notify => Exec['persist-firewall'],
}
After that I configured a base firewall module e.g.
resources { 'firewall':
purge => true,
}
firewall { "001 accept all icmp requests":
proto => 'icmp',
action => accept,
}
firewall { '002 INPUT allow loopback':
iniface => 'lo',
chain => 'INPUT',
action => accept,
}
firewall { '000 INPUT allow related and established':
state => ['RELATED', 'ESTABLISHED'],
action => accept,
proto => 'all',
}
…
}
Top Marks for this module!
http://github.com/puppetlabs/puppetlabs-firewall
3 comments
yea it works nice. I prefer puppet-iptables though
by Alston Fernandez on May 6, 2012 at 3:27 am. #
Hi,
Do you also use ip6tables with that module? Would be interesting how you implemented that…
by mike on May 9, 2012 at 12:20 pm. #
Hi Mike,
Sorry I haven’t implemented ipv6 but that’s probably something I’ll try in the future.
Watch this space!
by actionjack on May 9, 2012 at 12:50 pm. #