The numbering in the firewall resource names is not meant for ordering their executing, but for guaranteeing their uniqueness.
I too found that using stages is the only usable way out of this. Just out of curiosity, what do you mean by: > We ended > up in situations where the drop rules would kick before the allow > established rules, and thus kill the puppet run In my experience, what breaks is the reporting attempt puppet clients makes to the master, not the puppet run itself. Mohamed. On Sat, Mar 10, 2012 at 2:14 PM, Christian McHugh <christian.mch...@gmail.com> wrote: > Sounds interesting. As far as I've seen, the puppetlabs-firewall resource > activates instantly. I've not tried to have them all write out to a file and > trigger an exec iptables-restore. > > If the firewall resource kicks the only way I think it can, then we had an > issue of firewall ordering. While rules are defined as "100 open port" and > "999 drop all" the numbering did not seem to make any difference. We ended > up in situations where the drop rules would kick before the allow > established rules, and thus kill the puppet run. Our workaround was to run > our base open ports rules in a pre stage, normal service stuff in main, and > the drop in post. > > If you have any recommendations for a better way to handle the fireall, I'd > love to hear about it. > > > > On Saturday, March 10, 2012 1:11:02 AM UTC-6, tujwww wrote: >> >> Looks like you are applying the rules in Pre, Main and Post stage using >> firewall, i wonder what could be the requirement to apply the rules in >> different stages instead of creating a File resource, Service notify trigger >> using Exec iptables-restore, if you don't mind giving a little elaboration. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/_GIF40iCIRYJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
