IPTables Firewall modules Question
112 views
Skip to first unread message
Stack Kororā
Jun 26, 2013, 9:48:05 PM6/26/13
to puppet...@googlegroups.com
Greetings,
I have a question about "best practices" for the puppet firewall module. I have pasted my basic config files below and I am curious about a few things.
* The ports that all nodes share in common I am adding to the modules/my_firewall/manifests/init.pp file, but the ports that are specific to a node I am adding to the node definition in manifests/site.pp. What should I do to prevent the firewall rules from becoming unwieldy in my site.pp file? It is fine if there are only a few ports open, but once I start adding a lot of ports to the nodes it gets rather big. Any suggestions, or is it common to have rather large node definitions?
* The documentation says that the number should be between 000..999. However, I made my post.pp deny rule as 99999 so that I could make the number the port (makes sense to me and help track which port is for what purpose; I made it that high because one app has port 27000). The vast majority of the time I don't care what order the ports are in, just so long as they appear between the pre and post section. It also helps me remember which number the rule should be so I don't have duplicate ID numbers. Does anyone else label the ID this way? Is there a problem with making this ID so large when the documentation lists the max number as 999 (I am guessing it was just a large number the author picked at random and not one with significant meaning, but I am curious)?
Also, a semi-related question since I am posting the configs...Did I do it right? :-D It works for my test cases so far. Mostly just want to check to make sure I didn't misunderstand the documentation. So if I missed something or if I goofed something up, I would appreciate a response.
Thanks!
$ cat manifests/site.pp
node 'puppet.test.domain' {
include my_firewall
firewall { '8140 Puppet Master':
port => 8140,
proto => 'tcp',
action => accept,
state => 'NEW',
}
}
$ cat modules/my_firewall/manifests/init.pp
class my_firewall () {
resources { "firewall": purge => true }
Firewall {
before => Class['my_firewall::post'],
require => Class['my_firewall::pre'],
}
firewall { '80 Webserver':
port => 80,
proto => 'tcp',
action => accept,
state => 'NEW',
}
include my_firewall::pre
include my_firewall::post
}
$ cat modules/my_firewall/manifests/pre.pp
class my_firewall::pre {
Firewall { require => undef, }
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}->
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}->
firewall { '002 accept related established rules':
proto => 'all',
state => ['ESTABLISHED' , 'RELATED'],
action => 'accept',
}
}
$ cat modules/my_firewall/manifests/post.pp
class my_firewall::post {
firewall { '99999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
I have a question about "best practices" for the puppet firewall module. I have pasted my basic config files below and I am curious about a few things.
* The ports that all nodes share in common I am adding to the modules/my_firewall/manifests/init.pp file, but the ports that are specific to a node I am adding to the node definition in manifests/site.pp. What should I do to prevent the firewall rules from becoming unwieldy in my site.pp file? It is fine if there are only a few ports open, but once I start adding a lot of ports to the nodes it gets rather big. Any suggestions, or is it common to have rather large node definitions?
* The documentation says that the number should be between 000..999. However, I made my post.pp deny rule as 99999 so that I could make the number the port (makes sense to me and help track which port is for what purpose; I made it that high because one app has port 27000). The vast majority of the time I don't care what order the ports are in, just so long as they appear between the pre and post section. It also helps me remember which number the rule should be so I don't have duplicate ID numbers. Does anyone else label the ID this way? Is there a problem with making this ID so large when the documentation lists the max number as 999 (I am guessing it was just a large number the author picked at random and not one with significant meaning, but I am curious)?
Also, a semi-related question since I am posting the configs...Did I do it right? :-D It works for my test cases so far. Mostly just want to check to make sure I didn't misunderstand the documentation. So if I missed something or if I goofed something up, I would appreciate a response.
Thanks!
$ cat manifests/site.pp
node 'puppet.test.domain' {
include my_firewall
firewall { '8140 Puppet Master':
port => 8140,
proto => 'tcp',
action => accept,
state => 'NEW',
}
}
$ cat modules/my_firewall/manifests/init.pp
class my_firewall () {
resources { "firewall": purge => true }
Firewall {
before => Class['my_firewall::post'],
require => Class['my_firewall::pre'],
}
firewall { '80 Webserver':
port => 80,
proto => 'tcp',
action => accept,
state => 'NEW',
}
include my_firewall::pre
include my_firewall::post
}
$ cat modules/my_firewall/manifests/pre.pp
class my_firewall::pre {
Firewall { require => undef, }
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}->
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}->
firewall { '002 accept related established rules':
proto => 'all',
state => ['ESTABLISHED' , 'RELATED'],
action => 'accept',
}
}
$ cat modules/my_firewall/manifests/post.pp
class my_firewall::post {
firewall { '99999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
Ken Barber
Jun 27, 2013, 7:33:37 AM6/27/13
to Puppet Users
> * The ports that all nodes share in common I am adding to the
> modules/my_firewall/manifests/init.pp file, but the ports that are specific
> to a node I am adding to the node definition in manifests/site.pp. What
> should I do to prevent the firewall rules from becoming unwieldy in my
> site.pp file? It is fine if there are only a few ports open, but once I
> start adding a lot of ports to the nodes it gets rather big. Any
> suggestions, or is it common to have rather large node definitions?
You can of course provide a list of dport/sport's as an array -
> modules/my_firewall/manifests/init.pp file, but the ports that are specific
> to a node I am adding to the node definition in manifests/site.pp. What
> should I do to prevent the firewall rules from becoming unwieldy in my
> site.pp file? It is fine if there are only a few ports open, but once I
> start adding a lot of ports to the nodes it gets rather big. Any
> suggestions, or is it common to have rather large node definitions?
however I normally associate a firewall port being opened with a
particular class/app and have the firewall definition defined there,
then by including the class you get the open port. For example, my
mysql module would open port 3306.
> * The documentation says that the number should be between 000..999.
> However, I made my post.pp deny rule as 99999 so that I could make the
> number the port (makes sense to me and help track which port is for what
> purpose; I made it that high because one app has port 27000). The vast
> majority of the time I don't care what order the ports are in, just so long
> as they appear between the pre and post section. It also helps me remember
> which number the rule should be so I don't have duplicate ID numbers. Does
> anyone else label the ID this way? Is there a problem with making this ID so
> large when the documentation lists the max number as 999 (I am guessing it
> was just a large number the author picked at random and not one with
> significant meaning, but I am curious)?
changed later on.
> Also, a semi-related question since I am posting the configs...Did I do it
> right? :-D It works for my test cases so far. Mostly just want to check to
> make sure I didn't misunderstand the documentation. So if I missed something
> or if I goofed something up, I would appreciate a response.
ken.
Stack Kororā
Jun 27, 2013, 8:47:42 AM6/27/13
to puppet...@googlegroups.com
On Thursday, June 27, 2013 6:33:37 AM UTC-5, Ken Barber wrote:
> * The ports that all nodes share in common I am adding to the
> modules/my_firewall/manifests/init.pp file, but the ports that are specific
> to a node I am adding to the node definition in manifests/site.pp. What
> should I do to prevent the firewall rules from becoming unwieldy in my
> site.pp file? It is fine if there are only a few ports open, but once I
> start adding a lot of ports to the nodes it gets rather big. Any
> suggestions, or is it common to have rather large node definitions?
You can of course provide a list of dport/sport's as an array -
I have been doing that for services with multiple ports. The only service I haven't figured out out to join in one statement was DNS which requires port 53 with TCP and UDP. When I tried making that an array, it only set TCP and not UDP:
proto => ['tcp','udp'],
proto => ['tcp','udp'],
When I set it to 'all' it worked, but I would rather just have two rules then 'all'. ;-)
however I normally associate a firewall port being opened with a
particular class/app and have the firewall definition defined there,
then by including the class you get the open port. For example, my
mysql module would open port 3306.
That is a great idea. It also ensures that I don't forget to open the firewall when I add a module to a new system.
[snip]
Yeah, it was made up - or at least, it was an old range that was
changed later on.
Great. I just wanted to ensure I wasn't going to cause myself problems for picking numbers so high.
Thanks Ken!
Reply all
Reply to author
Forward
0 new messages