Comments (8)
kbarber
commented on July 23, 2024
They will 'run' or be displayed in the order specified through relationships, but this is different to the order they are inserted with iptables.
If you do 'iptables -vnL' they should show the order is lexical.
from puppetlabs-firewall.
minter
commented on July 23, 2024
Gotcha - I thought from reading the docs that puppet applied the rules in lexical order, so I was confused to see my last rule being applied first (and thus locking out my SSH session). I've gone in and applied relationships now.
from puppetlabs-firewall.
kbarber
commented on July 23, 2024
Err - maybe I've confused the issue.
You don't need to order your rules really with require/before. While the rules are applied in what seems to be a random order - they are inserted in lexical order so the end result should be proper lexical ordering.
from puppetlabs-firewall.
minter
commented on July 23, 2024
In that case, there may be a bug, because I have the namevars in lexical order (000 to 999), but when I was running the rules, Number 999 ("deny all") was getting applied early in the process, and my SSH session would get cut (because 999 deny all was being applied before 001 allow SSH).
from puppetlabs-firewall.
kbarber
commented on July 23, 2024
Aaah ... okay. So the intended behaviour is that we insert orders lexically ... but as you have pointed out its important to ensure the deny all is inserted last. Then ... in that case - yes - do use require/before ordering to work around that issue.
In fact - perhaps your best bet is to put the deny in a 'post' stage to ensure it always gets inserted last perhaps ... that way you don't have to stress as much about finicky relationships across classes.
Interesting.
I think this might not be a code bug - but more of a documentation bug ... I'm going to re-open it.
from puppetlabs-firewall.
minter
commented on July 23, 2024
Great - where in the puppet docs is the post stage defined? I'm pretty new to the software, but that sounds like what I need.
from puppetlabs-firewall.
kbarber
commented on July 23, 2024
http://docs.puppetlabs.com/references/stable/type.html#stage
http://docs.puppetlabs.com/guides/language_guide.html
So what you do is you put your deny all rule in a class somewhere like (this should be in a module I guess):
class my_fw::deny {
iptables { "999 deny all":
jump => "DENY"
}
}
Set up your stages in say site.pp:
stage { pre: before => Stage[main] }
stage { post: require => Stage[main] }
Then in site.pp or in the nodes/classes you want to apply this behaviour declare the class runs in stage post:
class { "my_fw::deny": stage => "post" }
Then that should ensure it always gets inserted last.
from puppetlabs-firewall.
kbarber
commented on July 23, 2024
I've added some notes on this problem to the quickstart section of the README now. Its a start - a lot of that generic documentation needs better flow ... but its down on paper 'so to speak' now ... :-).
from puppetlabs-firewall.
Related Issues (20)
- Use nftables instead of iptables where it is supported.
- Getting problems on the firewall on redhat 8
- No value is detected for nflog-prefix HOT 2
- Allow --reject-with tcp-reset for TCP rules
- Could not evaluate: `proto` must be set to `tcp` for `isfragment` to be true.
- firewall.toports expects an undef value or a match for Pattern[/^\d+(?:-\d+)?$/], got Integer
- Hyphen in the ipset's hash name breaks a firewall resource
- Puppet repeatedly attempts to correct firewall rules when `source` has a prefix length of zero HOT 8
- Add path option for cgroup
- Add back IPv6 protocol support for recent rule masks HOT 1
- Add support for parsing and using socket parameters
- issue with match_mark regex HOT 1
- Performance degradation in resource_api version
- single quotes in rule comments produces errors HOT 4
- puppet generate types fail on versions >= 7.0.0 HOT 2
- Non idempotent logs for empty firewall chains HOT 8
- hostnames with multiple address are not handled completely
- Link in CONTRIBUTING.md returns a 404.
- Defining a state as an array can cause an unnecessary updating action
- Using a LOG jump with a log_level of 4 causes an unnecessary updating action
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppetlabs-firewall.