Firewall configuration with Puppet

95 views
Skip to first unread message

kenneho

unread,
Mar 14, 2008, 6:54:18 AM3/14/08
to Puppet Users
Hi.


Does Puppet support (RHEL) firewall configuration? We're considering
using Puppet to manage the firewall settings on our servers, but
cannot find any documentation saying that this feature is implemented
in Puppet.


Regards,

kenneho

Duncan Hill

unread,
Mar 14, 2008, 6:58:01 AM3/14/08
to puppet...@googlegroups.com

Assuming you manage the files that the configuration tool generates,
then Puppet can do it natively with a file {} and exec {} set.

huangm...@gmail.com

unread,
Mar 14, 2008, 8:41:37 AM3/14/08
to Puppet Users
use shorewall manage firewall will simple.

On Mar 14, 6:58 pm, "Duncan Hill" <bajand...@googlemail.com> wrote:

Kenton Brede

unread,
Mar 14, 2008, 9:37:59 AM3/14/08
to puppet...@googlegroups.com
On 14/03/2008, kenneho <kenne...@gmail.com> wrote:
>

We run RHEL4/5 here. I use Puppet to manage our firewalls. Below is
the approach I took. I use a template to generate the firewalls for
each node. I place the variables the template slurps into the
site.pp file. The firewall rules generated with the template end up
in /etc/sysconfig/firewall_template.sh. To determine if the firewall
is up or not I use the iptables_check.sh script. Hope this helps.
Kent

----------------------------------------------------------------------------------------------------------------
class iptables {
file { "/root/bin/iptables_check.sh":
owner => root,
group => root,
mode => 750,
ensure => present,
source => "puppet://$server/export/iptables/iptables_check.sh"
}
file { "/etc/sysconfig/firewall_template.sh":
owner => root,
group => root,
mode => 750,
ensure => present,
backup => ".puppet",
content => template("firewall_template.erb"),
}
exec { "/etc/sysconfig/firewall_template.sh && /etc/init.d/iptables save":
subscribe => File["/etc/sysconfig/firewall_template.sh"],
refreshonly => true,
}
service { "iptables":
status => "/root/bin/iptables_check.sh",
start => "/etc/init.d/iptables start",
ensure => running,
}
}
--------------------------------------------------------------------------------------------------------------

iptables_check.sh script
============================================
#!/bin/bash

# grab number of lines iptables status prints
num=`/etc/init.d/iptables status | /usr/bin/wc -l`

# if the number is less than 2 the firewall is down
if [ "$num" -lt 2 ];then
exit 1;
fi
============================================

Digant C Kasundra

unread,
Mar 14, 2008, 5:29:33 PM3/14/08
to puppet...@googlegroups.com
--On Friday, March 14, 2008 03:54:18 AM -0700 kenneho
<kenne...@gmail.com> wrote:

>

If you're using iptables, you can check out:
<http://www.reductivelabs.com/trac/puppet/wiki/ModuleIptables>

Also, an iptables native type will be available soon.

--
Digant C Kasundra <dig...@stanford.edu>
Technical Lead, ITS Unix Systems and Applications, Stanford University

Kenneth Holter

unread,
Mar 19, 2008, 5:07:00 AM3/19/08
to puppet...@googlegroups.com
 
We're using iptables, so I'll check out the module you mentioned.
 
Do you know when the iptables native type will be available?

 
Reply all
Reply to author
Forward
0 new messages