Hi,
Yes, I did! I can create rules at will, the problem is that I can't
create chains using firewallchain. Here's another snippet from my class:
firewallchain {
['SMTP:FILTER:IPV4','HTTP:FILTER:IPV4','POP3:FILTER:IPV4','IMAP:FILTER:IPV4']:
ensure => present,
}
(This results in 4 copies of the error message I pasted)
Rules are created like this:
firewall { '008 SMTP Jump':
chain => 'INPUT',
proto => 'tcp',
dport => ['25','465','587','1025'],
jump => 'SMTP',
}->
(...)
firewall { '040 SMTP Allowed':
chain => 'SMTP',
action => 'accept',
}->
(...)
This should, in theory, create 4 chains (SMTP, HTTP, POP3, and IMAP),
and then go ahead and create the appropriate rules. It follows the same
syntax as the example, however, it produces the same error message that
I mentioned in my original email.
This isn't a syntax error, as far as I can tell. The error I get stems
from an if/else statement that I believe is doing something odd. I
mention this in the bottom half of my original email.
When I replace the firewallchains call with a custom define that
executes "iptables -N ${name}", I am able to create all my chains and
rules assuming I start with a blank iptables. However, this starts to
get tricky when I have some chains that already exist, and no easy/clean
mechanism to check for their existence. I am trying to avoid this
scenario, and would rather use firewallchains to manage my chains.
-Chris B.
On 11/14/12 12:25 PM, Dan White wrote:
Also, did you see the example in the firewall module README.markdown ?
Creating a new rule that forwards to a chain, then adding a rule to this chain:
firewall { '100 forward to MY_CHAIN':
chain => 'INPUT',
jump => 'MY_CHAIN',
}
# The namevar here is in the format chain_name:table:protocol
firewallchain { 'MY_CHAIN:filter:IPv4':
ensure => present,
}
firewall { '100 my rule':
chain => 'MY_CHAIN',
action => 'accept',
proto => 'tcp',
dport => 5000,
}
----- Original Message -----
From: "Dan White" <y...@comcast.net>
To: puppet-users@googlegroups.com
Sent: Wednesday, November 14, 2012 12:09:48 PM
Subject: Re: [Puppet Users] firewallchain issues w/ 1.0.0 release
I believe this is to implement user defined chain-names.
It is a way to group firewall rules.
Try this for explanation:
http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/networking/linuxsvrhack-chp-4-sect-5
“Sometimes I think the surest sign that intelligent life exists elsewhere in
the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
----- Original Message -----
From: "oogs" <o...@merit.edu>
To: puppet-users@googlegroups.com
Sent: Wednesday, November 14, 2012 11:55:25 AM
Subject: [Puppet Users] firewallchain issues w/ 1.0.0 release
Hi,
First, some software versions, just to get them out of the way:
- CentOS 5.x through Centos 6.2
- Ruby 1.8.5 - 1.8.7
- Puppet 2.7.19
- Facter 1.6.11
Just a note - we're working from the EPEL repos almost exclusively.
I am working with the firewall module, and so far I am unable to use
firewallchain. Some digging suggests that it's not completely user error
(though I know I should never rule that out...). Here's my code:
firewallchain { "SSH:FILTER:IPv4" :
ensure => present,
}
That block of code results in this error:
puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
Inbuilt chains must be in the form {chain}:{table}:{protocol} where
{table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
(alias for filter), chain can be anything without colons or one of
PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
bridging) got 'SSH:FILTER:IPv4' table:'' chain:'' protocol:''
That error code is produced in lib/puppet/type/firewallchain.rb , by
this snippet of code:
validate do |value|
if value !~ Nameformat then
(error message)
else
(more stuff)
end
end
After poking at this a bit, it turns out that Nameformat is blank when
that if statement is run, instead of containing what is defined in
lib/puppet/provider/firewallchain/iptables_chain.rb .
I know very little about Ruby right now, so I'm not in a good position
to trouble shoot the ruby code. I was wondering if someone else had run
in to this issue, and if so, how did you solve it?
I would appreciate any help I can get on this, as I'm stumped.
-Chris B.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
