On 15 March 2012 22:39, Chris O'Donnell <chodo...@gmail.com> wrote: > With our current iptables rules, we implement the following in a script: > > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > > Then the script continues on and does the rest of the rules. some custom > policies, etc.Now we're moving to Puppet and trying to replace all of our > scripts. From what I can tell, the puppetlabs/firewall module doesn't allow > a way to set the default policy for a default chain. By default, the > puppetlabs/firewall module sets it as: > > INPUT ACCEPT > FORWARD ACCEPT > OUTPUT ACCEPT > > I've tried going through the module to implement this, but my Ruby skills > aren't there yet. As this would be the default in all of our rules, I don't > need a full implementation (i.e. able to set this from a pp file), I just > need to be able to set it as the default for all iptables settings. Anyone > have a hack (ugly or not) to implement this? I'm looking at other firewall > modules, but this one is pretty slick, and would like to use this one > (albeit with this modification) if possible. >
You can achieve the same effect with a default DROP/DENY rule at the end of your chain. I have some fondness for this approach, being one of the many hapless sysadmins that has once locked themselves out of a machine by running "iptables -F" without paying attention to the policy defaults. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
