Opening this question that I posted on the ask site
<http://ask.puppetlabs.com/question/14917/firewall-rule-proto-default/> to
a wider (?) audience:
Quick question regarding the handling of proto in puppetlabs-firewalls. If
I do a man on ip(6) tables I see:
-p, --protocol protocol The protocol of the rule or of the packet to check. The
specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or all,
or it can be a numeric value, representing one of these protocols or a
different one. A protocol name from /etc/protocols is also allowed. A "!" argu-
ment before the protocol inverts the test. The number zero is equivalent to
all. Protocol all will match with all protocols and is taken as default when
this option is omitted.
And from a quick look at lib/puppet/type/firewalls.rb I see:
newproperty(:proto) do desc <<-EOS The specific protocol to match for this
rule. By default this is *tcp*. EOS newvalues(*[:tcp, :udp, :icmp,
:"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ospf, :gre, :cbt,
:all].collect do |proto| [proto, "! #{proto}".to_sym] end.flatten) defaultto
"tcp"
Now, I can edit the file to change the value to defaultto "all", and the
rules look something like
firewall { '1990 related established': action => 'accept', state => ['RELATED',
'ESTABLISHED'], chain => 'OUTPUT', provider => 'iptables', }
The difference in configuration rules (sample system) goes from:
[root@ms1 ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source
destination : : ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* 990 related established */
state RELATED,ESTABLISHED : : ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 623 /* 992 ipmi */ state NEW : : DROP tcp -- 0.0.0.0/0 0.0.0.0/0 /* 999
drop all */ Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination : : ACCEPT tcp
-- 0.0.0.0/0 0.0.0.0/0 /* 1990 related established */ state RELATED,ESTABLISHED
: : DROP tcp -- 0.0.0.0/0 0.0.0.0/0 /* 1999 drop all */
to:
[root@ms1 ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source
destination : : ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 990 related established */
state RELATED,ESTABLISHED : : ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 623 /* 992 ipmi */ state NEW : : DROP all -- 0.0.0.0/0 0.0.0.0/0 /* 999
drop all */ Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination : : ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 /* 1990 related established */ state RELATED,ESTABLISHED
: : DROP all -- 0.0.0.0/0 0.0.0.0/0 /* 1999 drop all */
but I am not sure if this is desired or even incorrect modification
behaviour
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1be27f48-fb7b-4202-9422-6891fdbf3748%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
