Ubuntu – Setup puppetlabs-firewall module

firewallpuppetUbuntuubuntu-12.04

Does anyone have experience setting up puppetlabs-firewall module on ubuntu 12.04?

The documentation on https://github.com/puppetlabs/puppetlabs-firewall states:

At the moment you need to provide some setup outside of what we provide in the module to support proper ordering, purging and firewall peristence.

So It is recommended that you provide the following in top scope somewhere (such as your site.pp):
# Always persist firewall rules
exec { 'persist-firewall':
  command     => $operatingsystem ? {
    'debian'          => '/sbin/iptables-save > /etc/iptables/rules.v4',
    /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables',
  },
  refreshonly => true,
}

# These defaults ensure that the persistence command is executed after 
# every change to the firewall, and that pre & post classes are run in the
# right order to avoid potentially locking you out of your box during the
# first puppet run.
Firewall {
  notify  => Exec['persist-firewall'],
  before  => Class['my_fw::post'],
  require => Class['my_fw::pre'],
}
Firewallchain {
  notify  => Exec['persist-firewall'],
}

# Purge unmanaged firewall resources
#
# This will clear any existing rules, and make sure that only rules
# defined in puppet exist on the machine
resources { "firewall":
  purge => true
}

I'm having difficulties understanding what is does and how it works.
When I'm putting this in the top scope it locks down all my puppet hosts. And I don't want to apply firewall rules with this module to all my puppet hosts, but just a subset for testing purposes. Since I'm using shorewall for most of my hosts and just trying out too control the firewall by puppet instead of by distributing shorewall config files.
Does anyone have a working setup on ubuntu where I can assign a firewall to specific hosts with minimal duplication in configuring? An example would really help me out.

Best Answer

To fully understand how the module work look in the $module_path/firewall/lib/puppet/{type|proider}/* It's all written in Ruby. Even if you don't know the language it's quite straight forward to interpret.

As mentioned in the comment the additional code in your manifest it's a work around so the module works properly. I guess they had some issue to implements all the code directly in the type/provider via ruby. Makes sense to use the default iptables-save functionality, because it's much easier to reload the firewall setting after the restart and it works for most popular linux distributions.

Even if you copy/paste that code it shouldn't affect your current configuration, as long you don't use the resource type in the node default or in the node configuration. For test purpose include this code directly in the testing node. Should produce the same result. Above it's an example:

    Firewall {
      notify => Exec["persist-firewall"],
      before  => Class['my_fw::post'],
      require => Class['my_fw::pre'],
    }

    Firewallchain {
      notify  => Exec['persist-firewall'],
    }

    resources { "firewall":
      purge => true
    }

    firewall { '100 ssh 22':
      port => '22',
      proto => 'tcp',
      action => 'accept',
    }

    firewall { '100 www 80':
      port => '80',
      proto => 'tcp',
      action => 'accept',
    }

    firewall { '100 sql 5436':
      port => '5436',
      proto => 'tcp',
      action => 'accept',
    }

    firewall { '100 sql 5438':
      port => '5438',
      proto => 'tcp',
      action => 'accept',
    }

    firewall { '100 sql 5440':
      port => '5440',
      proto => 'tcp',
      action => 'accept',
    }

    exec { "persist-firewall":
      command => $operatingsystem ? {
        "debian" => "/sbin/iptables-save > /etc/iptables/rules.v4",
        /(RedHat|CentOS)/ => "/sbin/iptables-save > /etc/sysconfig/iptables",
      },
      refreshonly => 'true',
    }

In this example I am allowing 22, 80. 5436, 5438 INCOMING TCP connection.

Related Solutions

Invalid parameter for defined type

You are nowhere defining the actual sysctl class, it seems.

In your modules/sysctl/manifests/init.pp you should have at least a class sysctl set, and then included your defined type (which should be named differently form the class itself), like so:

class sysctl {
  # this is empty
}

define sysctl::set ( $value = undef, $ensure = undef ) {
  ...
}

This is why you get an error when trying to include sysctl, because there is no such class. Fix modules/sysctl/manifests/init.pp and then in /etc/puppet/modules/template/manifests/api.pp add include sysctl at the top. Then it should work.

Puppetlabs/firewall – “Could not find resource type ‘firewall'”

Ok, actually the moment I copied the puppetlabs-firewall module to my common folder (which gets includes in both environments, testing and production) it worked.

Now I just really would like to now why. Here is the puppetmaster config file. Maybe someone can tell my why it behaves the way it does.

### File managed with puppet ###
## Module:           'puppet'

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

    # Allow services in the 'puppet' group to access key (Foreman + proxy)
    privatekeydir = $ssldir/private_keys { group = service }
    hostprivkey = $privatekeydir/$certname.pem { mode = 640 }

    # Puppet 3.0.x requires this in both [main] and [master] - harmless on agents
    autosign       = $confdir/autosign.conf { mode = 664 }

    show_diff     = false

### Next part of the file is managed by a different template ###
## Module:           'puppet'

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$statedir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig

    # Disable the default schedules as they cause continual skipped
    # resources to be displayed in Foreman - only for Puppet >= 3.4
    default_schedules = false

    report        = true
    pluginsync    = true
    masterport    = 8140
    environment   = production
    certname      = handsoff.dc0.mynetwork.de
    server        = handsoff.dc0.mynetwork.de
    listen        = false
    splay         = false
    runinterval   = 300
    noop          = false
    configtimeout = 120

### Next part of the file is managed by a different template ###
## Module:           'puppet'

[master]
    autosign       = $confdir/autosign.conf { mode = 664 }
    reports        = foreman
    external_nodes = /etc/puppet/node.rb
    node_terminus  = exec
    ca             = true
    ssldir         = /var/lib/puppet/ssl
    certname       = handsoff.dc0.mynetwork.de
    strict_variables = false

[production]
    modulepath     = /etc/puppet/environments/production/modules:/etc/puppet/environments/common:/usr/share/puppet/modules
    config_version = 
[testing]
    modulepath     = /etc/puppet/environments/testing/modules:/etc/puppet/environments/common:/usr/share/puppet/modules
    config_version =

Best Answer

Related Solutions

Invalid parameter for defined type

Puppetlabs/firewall – “Could not find resource type ‘firewall'”

Related Topic