I am using the Puppetlabs firewall module to manage our firewall. All
servers get our core ruleset:
*modules/mycompany/manifests/firewall/pre.pp:*
class mycompany::firewall::pre {
Firewall {
require => undef,
}
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
firewall { '002 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
*modules/**mycompany/manifests/firewall/core.pp:*
class mycompany::firewall::core {
firewall { '100 allow SSH':
proto => 'tcp',
port => [22],
action => 'accept',
}
firewall { '101 allow salt-minion communication':
proto => 'tcp',
port => [4505,4506,4510,4511],
action => 'accept',
}
firewall { '102 allow DNS UDP':
proto => 'udp',
port => [53],
action => 'accept',
}
firewall { '103 allow DNS TCP':
proto => 'tcp',
port => [53],
action => 'accept',
}
firewall { '104 allow NTP traffic':
proto => 'udp',
port => [123],
action => 'accept',
}
}
*modules/*
*mycompany/manifests/firewall/post.pp:*
class mycompany::firewall::post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
We also have some rules that are added based on server roles dynamically
via hiera:
*modules/*
*mycompany/manifests/firewall/puppet.pp:*class mycompany::firewall::puppet {
firewall { '105 allow puppet communication':
proto => 'tcp',
port => [8140],
action => 'accept',
}
}
*modules/*
*mycompany/manifests/firewall/database.pp:*class
mycompany::firewall::database {
firewall { '106 allow Percona/MySQL communication':
proto => 'tcp',
port => [3306],
action => 'accept',
}
}
This worked perfectly when I spun up a server with no role (and therefore
no extra rules. However when I spun up servers with the 'puppet' &
'database' roles (and therefore the extra rules) it hung at:
*Notice: /Stage[main]/Mycompany/Firewall[9001
fe701ab7ca74bd49f13b9f0ab39f3254]/ensure: removed*
My SSH session eventually disconnects with a broken pipe. The puppet server
I spun up yesterday was available when I got into the office this morning
so it seems they do eventually come back but it takes some time. Is there
any reason I am getting cut of like that and is there any way to avoid it?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5dc99077-71ca-472a-919b-cbb708f6bd9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
