Hiya,
Sorry still learning cfEngine here, and its being a slow process but
think I'm finally getting the hang of it, but am a little stumped by one
problem.
I'm trying to set firewall rules based on a certain set of
circumstances, ie if a machine is defined as a webserver then port 80
should be allowed, and if not a member of the webserver groups, then
port 80 denied.
webserver::
"/sbin/iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp
-p tcp --dport 80 -j ACCEPT"
!webserver::
"/sbin/iptables -D RH-Firewall-1-INPUT -m state --state NEW -m tcp
-p tcp --dport 80 -j ACCEPT"
However what I also need to do is reload the iptables process
(iptables-save; iptables-reload) if a new entry is added to the list,
also I'd prefer not to attempt to add duplicate listings to the
firewall. I can do a iptables --list to get a list, but I'm not quite
sure how to set a value on a match for a process. Ideally I'd like to do
something along the lines of
classes:
"https_port_allowed" => if_line_in_program_output("/sbin/iptables
--list","^ACCEPT.*state NEW tcp dpt:www")
But I have no clue on how to do this, could someone point me in the
right direction. I've tried reading all the examples and tutorials and
documents I can get my hands on, but the learning curve is pretty high
so theres a good chance I've missed it :|
Thanks in advance for any help or direction anyone can give!
mitch
--
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
