puppetlabs-firewall issue

[Pablo Morales]

Hi there guys
I'm new to puppet I thinks it's a great tool and I'm trying to configure some task to perform automatically like users and some services which I had no
problems until now with iptables, this is what I'v got

server and client:
CentOS release 6.5 (Final)

On client:
puppet-2.7.25-2.el6.noarch

On server:
puppet-server-3.6.2-1.el6.noarch
puppet-3.6.2-1.el6.noarch

I'm following this:
https://forge.puppetlabs.com/puppetlabs/firewall

My config on server:
/etc/puppet/modules/my_fw/manifests
post.pp
pre.pp
class my_fw::post {
  firewall { '999 drop all':
    proto   => 'all',
    action  => 'drop',
    before  => undef,
  }
}

class my_fw::pre {
  Firewall {
    require => undef,
  }

  # Default firewall rules
  firewall { '000 accept all icmp':
    proto   => 'icmp',
    action  => 'accept',
  }->
  firewall { '001 accept all to lo interface':
    proto   => 'all',
    iniface => 'lo',
    action  => 'accept',
  }->
  firewall { '002 accept related established rules':
    proto   => 'all',
    ctstate => ['RELATED', 'ESTABLISHED'],
    action  => 'accept',
  }

  firewall { '100 allow http and https access':
    port   => [80, 443],
    proto  => tcp,
    action => accept,
  }

}

/etc/puppet/manifests
site.pp
# tell puppet on which client to run the class
node slnxserver {

include users

        #resources { "firewall":
        #purge => true
        #}

        Firewall {
                before  => Class['my_fw::post'],
                require => Class['my_fw::pre'],
        }

        class { ['my_fw::pre', 'my_fw::post']: }
        class { 'firewall': }
}

On the client I see the following:
tail -f /var/log/messages
Jul  1 16:01:09 slnxserver puppet-agent[16431]: Finished catalog run in 0.35 seconds
Jul  1 16:02:41 slnxserver puppet-agent[16431]: Finished catalog run in 0.33 seconds
Jul  1 16:04:13 slnxserver puppet-agent[16431]: Finished catalog run in 0.30 seconds
Jul  1 16:05:45 slnxserver puppet-agent[16431]: Finished catalog run in 0.28 seconds
Jul  1 16:07:17 slnxserver puppet-agent[16431]: Finished catalog run in 0.29 seconds

No problems reported, but it seems the iptables rules are not applied, am I missing somthing else?

The 80:443 ports is not applied:

iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

If I uncomment the resource statement above I get:
puppet-agent[16431]: Failed to apply catalog: Parameter name failed on Resources[firewall]: Could not find resource type 'firewall' at /etc/puppet/manifests/site.pp:8


Thanks for your time and support, any help appreciated.
Regards

[Pablo Morales]

If it helps this is what I see when running in debug mode:

debug: /Stage[main]/My_fw::Post/Firewall[999 drop all]/require: requires Class[My_fw::Pre]
debug: /Stage[main]/My_fw::Pre/Firewall[001 accept all to lo interface]/before: requires Firewall[002 accept related established rules]
debug: /Stage[main]/Firewall::Linux::Redhat/require: requires Package[iptables]
debug: /Stage[main]/My_fw::Pre/Firewall[000 accept all icmp]/before: requires Firewall[001 accept all to lo interface]
debug: /Stage[main]/My_fw::Pre/Firewall[100 allow http and https access]/before: requires Class[My_fw::Post]
debug: /Stage[main]/My_fw::Pre/Firewall[002 accept related established rules]/before: requires Class[My_fw::Post]
debug: /Stage[main]/Users/User[pepe]: Autorequiring Group[shame]
debug: /Schedule[daily]: Skipping device resources because running on a host
debug: /Schedule[monthly]: Skipping device resources because running on a host
debug: /Schedule[hourly]: Skipping device resources because running on a host
debug: /Schedule[never]: Skipping device resources because running on a host
debug: Prefetching yum resources for package
debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm --version'
debug: Puppet::Type::Package::ProviderYum: Executing '/bin/rpm -qa --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}
''
debug: Service[iptables](provider=redhat): Executing '/sbin/service iptables status'
debug: Puppet::Type::Service::ProviderRedhat: Executing '/sbin/chkconfig iptables'

[Cory Stoker]

Hmm...

Do you have plugin sync turned on in the agent config? Should see
something like pluginsync = true in your puppet.conf. The error
specified seems to be having an issue fining the type which is sync'ed
from the master to the agents through plugin sync.

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/29178a3d-d0ba-4601-9a8b-5af39276261f%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Pablo Morales]

Cory Thank you very much!!! that was the issue...

target     prot opt source               destination        

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           /* 000 accept all icmp */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* 001 accept all to lo interface */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* 002 accept related established rules */ ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 80,443 /* 100 allow http and https access */
DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* 999 drop all */


Thank for your time and support
Regards