Comments (6)
If this can be done in away such that as a configuration it is possible to
creat the file but not actually do the (re) load.
from puppetlabs-firewall.
This could create more problems with interoperating with fail2ban and similar things, but it's otherwise easier to puppet firewall rules that way, since you could take advantage of templating. It would probably work fine if iptables-restore allowed you to restore on a per-chain basis, but it seems to only allow per-table.
from puppetlabs-firewall.
PLEASE do this. Using the iptables-restore command would be a huge win.
Also, I would try to ensure that you could ignore items based on target chain regex so that you could ignore fail2ban, libvirt, etc...
This does mean that a full restore would wipe those rules and you would have to have those service subscribe to the iptables restart exec but, when you're being authoritative, it's very difficult to add acceptance for randomization.
from puppetlabs-firewall.
iptables-restore
only takes 2 options, and neither takes a regex.
from puppetlabs-firewall.
Sorry, I wasn't clear.
You would create a file with all relevant rules and compare it with the running system. However, you would have the ability to ignore certain rules based on regex such that you could prevent reloading the config should the running configuration match the new configuration without the ignored rules.
Hopefully that's more clear.
from puppetlabs-firewall.
Hello! We are doing some house keeping and noticed that this issue has been open for a long time.
We're going to close it but please do raise another issue if the issue still persists. 😄
from puppetlabs-firewall.
Related Issues (20)
- Use nftables instead of iptables where it is supported.
- Getting problems on the firewall on redhat 8
- No value is detected for nflog-prefix HOT 2
- Allow --reject-with tcp-reset for TCP rules
- Could not evaluate: `proto` must be set to `tcp` for `isfragment` to be true.
- firewall.toports expects an undef value or a match for Pattern[/^\d+(?:-\d+)?$/], got Integer
- Hyphen in the ipset's hash name breaks a firewall resource
- Puppet repeatedly attempts to correct firewall rules when `source` has a prefix length of zero HOT 8
- Add path option for cgroup
- Add back IPv6 protocol support for recent rule masks HOT 1
- Add support for parsing and using socket parameters
- issue with match_mark regex HOT 1
- Performance degradation in resource_api version
- single quotes in rule comments produces errors HOT 4
- puppet generate types fail on versions >= 7.0.0 HOT 2
- Non idempotent logs for empty firewall chains HOT 8
- hostnames with multiple address are not handled completely
- Link in CONTRIBUTING.md returns a 404.
- Defining a state as an array can cause an unnecessary updating action
- Using a LOG jump with a log_level of 4 causes an unnecessary updating action
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppetlabs-firewall.