Comments (9)
I would suggest to separate them nicely: firewall and firewall6. Features are simply not the same and providers don't do a nice job if two apply to the same system.
Helpers like parsing etc can be moved into own module that each can use or ignore.
from puppetlabs-firewall.
@georgkoester I'm not suggesting having two providers we already have that, I'm suggesting one provider that manipulates either ipv6 or ipv4 depending on a parameter or auto-detection perhaps. We can overlap the features, there is only a minor difference in the full options (less than 5% I would think) and we don't have to support the IPv6 features when IPv4 is applied, we can throw errors in those cases.
from puppetlabs-firewall.
@kbarber Would that support machines with ipv4 and ipv6 addresses?
from puppetlabs-firewall.
@georgkoester Yes that would be the idea. You see I totally agree 2 providers doesn't work, you can't purge properly and introspection with puppet resource doesn't work. A perfect example of this is the gem package provider. Now the real fix is to have these problems solved in Puppet - but until that happens this is my proposal.
from puppetlabs-firewall.
@kbarber Ok, I was afraid it would be either ipv4 or v6 for one machine. Now I see - not using the provider param, but something new. That's very good, thanks for the explanation.
from puppetlabs-firewall.
@georgkoester yeah I figure usually one can work these things out, but a separate param that is more like a bitfield (or enum field) might be better. Something like:
network_proto => ['ipv4','ipv6']
network_proto => 'all'
network_proto => 'ipv4'
(not sure if network_proto is the right one to use, just proto is taken, and well - network is the right osi layer).
I'm almost tempted to say the default behaviour should be 'try to apply the rule to all network protocol layers' ... that way people would find ipv6 & ipv4 firewalled when they do things like 'deny all port 22'. Of course, we would need address detection in that case and it makes it tricky.
from puppetlabs-firewall.
@kbarber That would be nice. Your 'all'-functionality is very useful even
without specifying an address. Loopback has to be allowed as a first rule,
then deny-rules without addresses is very valuable and fail-safe - even
more important IMHO.
On Fri, Apr 12, 2013 at 2:32 PM, Ken Barber [email protected]:
@georgkoester https://github.com/georgkoester yeah I figure usually one
can work these things out, but a separate param that is more like a
bitfield (or enum field) might be better. Something like:network_proto => ['ipv4','ipv6']
network_proto => 'all'
network_proto => 'ipv4'(not sure if network_proto is the right one to use, just proto is taken,
and well - network is the right osi layer).I'm almost tempted to say the default behaviour should be 'try to apply
the rule to all network protocol layers' ... that way people would find
ipv6 & ipv4 firewalled when they do things like 'deny all port 22'. Of
course, we would need address detection in that case and it makes it tricky.—
Reply to this email directly or view it on GitHubhttps://github.com//issues/123#issuecomment-16290348
.
from puppetlabs-firewall.
how about
address_family
instead. Seems more natural to me?
from puppetlabs-firewall.
Hello! We are doing some house keeping and noticed that this issue has been open for a long time.
We're going to close it but please do raise another issue if the issue still persists. 😄
from puppetlabs-firewall.
Related Issues (20)
- Use nftables instead of iptables where it is supported.
- Getting problems on the firewall on redhat 8
- No value is detected for nflog-prefix HOT 2
- Allow --reject-with tcp-reset for TCP rules
- Could not evaluate: `proto` must be set to `tcp` for `isfragment` to be true.
- firewall.toports expects an undef value or a match for Pattern[/^\d+(?:-\d+)?$/], got Integer
- Hyphen in the ipset's hash name breaks a firewall resource
- Puppet repeatedly attempts to correct firewall rules when `source` has a prefix length of zero HOT 8
- Add path option for cgroup
- Add back IPv6 protocol support for recent rule masks HOT 1
- Add support for parsing and using socket parameters
- issue with match_mark regex HOT 1
- Performance degradation in resource_api version
- single quotes in rule comments produces errors HOT 4
- puppet generate types fail on versions >= 7.0.0 HOT 2
- Non idempotent logs for empty firewall chains HOT 8
- hostnames with multiple address are not handled completely
- Link in CONTRIBUTING.md returns a 404.
- Defining a state as an array can cause an unnecessary updating action
- Using a LOG jump with a log_level of 4 causes an unnecessary updating action
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppetlabs-firewall.