Puppet firewall ignore parameter
115 views
Skip to first unread message
Arkadi Colson
Apr 24, 2015, 10:34:54 AM4/24/15
to puppet...@googlegroups.com
Hi
I'm trying to let puppet manage the firewall in combination with the
fail2ban tool. However puppet keeps purging the fail2ban rules. Any idea
what's wrong with my config below:
resources { "firewall": purge => true }
Class['fw::pre'] -> Class['fw::post']
class fw::post {
firewallchain { 'INPUT:filter:IPv4':
ensure => present,
policy => drop,
ignore => ['-j fail2ban-ssh']
}
firewallchain { 'FORWARD:filter:IPv4':
ensure => present,
policy => drop
}
firewallchain { 'fail2ban-ssh:filter:IPv4':
ensure => present,
purge => false,
ignore => ['--comment "[^"](?i:ignore)[^"]"']
}
...
}
class fw::pre {
firewall { '000 INPUT allow related and established':
iniface => $::external_interface,
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
proto => 'all'
}
...
}
The ignore rule looks like this:
iptables -I fail2ban-ssh -s 58.218.204.245 -m comment --comment "ignore"
-j DROP
Best regards,
Arkadi Colson
I'm trying to let puppet manage the firewall in combination with the
fail2ban tool. However puppet keeps purging the fail2ban rules. Any idea
what's wrong with my config below:
resources { "firewall": purge => true }
Class['fw::pre'] -> Class['fw::post']
class fw::post {
firewallchain { 'INPUT:filter:IPv4':
ensure => present,
policy => drop,
ignore => ['-j fail2ban-ssh']
}
firewallchain { 'FORWARD:filter:IPv4':
ensure => present,
policy => drop
}
firewallchain { 'fail2ban-ssh:filter:IPv4':
ensure => present,
purge => false,
ignore => ['--comment "[^"](?i:ignore)[^"]"']
}
...
}
class fw::pre {
firewall { '000 INPUT allow related and established':
iniface => $::external_interface,
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
proto => 'all'
}
...
}
The ignore rule looks like this:
iptables -I fail2ban-ssh -s 58.218.204.245 -m comment --comment "ignore"
-j DROP
Best regards,
Arkadi Colson
Reply all
Reply to author
Forward
0 new messages