Permalink
Browse files

(#13216) Fix README so setup instructions actually work

The old setup instructions were vague, and incorrect. This fixes those
instructions so they actually work, and breaks them out into their own
section.(#13216) Fix README so setup instructions actually work
  • Loading branch information...
kbarber committed Mar 19, 2012
1 parent b5b55dd commit be6d30c339411069d29ae460b67b9a5ae912974a
Showing with 79 additions and 33 deletions.
  1. +79 −33 README.markdown
View
@@ -74,6 +74,85 @@ need to run Puppet on the master first:
You may also need to restart Apache, although this shouldn't always be the
case.
+### Recommended Setup
+
+At the moment you need to provide some setup outside of what we provide in the
+module to support proper ordering, purging and firewall peristence.
+
+So It is recommended that you provide the following in top scope somewhere
+(such as your site.pp):
+
+ # Always persist firewall rules
+ exec { 'persist-firewall':
+ command => $operatingsystem ? {
+ 'debian' => '/sbin/iptables-save > /etc/iptables/rules.v4',
+ /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables',
+ },
+ refreshonly => true,
+ }
+
+ # These defaults ensure that the persistence command is executed after
+ # every change to the firewall, and that pre & post classes are run in the
+ # right order to avoid potentially locking you out of your box during the
+ # first puppet run.
+ Firewall {
+ notify => Exec['persist-firewall'],
+ before => Class['my_fw::post'],
+ require => Class['my_fw::pre'],
+ }
+ Firewallchain {
+ notify => Exec['persist-firewall'],
+ }
+
+ # Purge unmanaged firewall resources
+ #
+ # This will clear any existing rules, and make sure that only rules
+ # defined in puppet exist on the machine
+ resources { "firewall":
+ purge => true
+ }
+
+In this case, it uses classes called 'my_fw::pre' & 'my_fw::post' to define
+default pre and post rules. These rules are required to run in catalog order
+to avoid locking yourself out of your own boxes when Puppet runs, as
+the firewall class applies rules as it processes the catalog.
+
+An example of the pre class would be:
+
+ # This would be located in my_fw/manifests/pre.pp
+ class my_fw::pre {
+ Firewall {
+ require => undef,
+ }
+
+ # Default firewall rules
+ firewall { '000 accept all icmp':
+ proto => 'icmp',
+ action => 'accept',
+ }->
+ firewall { '001 accept all to lo interface':
+ proto => 'all',
+ iniface => 'lo',
+ action => 'accept',
+ }->
+ firewall { '002 accept related established rules':
+ proto => 'all',
+ state => ['RELATED', 'ESTABLISHED'],
+ action => 'accept',
+ }
+ }
+
+And an example of a post class:
+
+ # This would be located in my_fw/manifests/post.pp:
+ class my_fw::post {
+ firewall { '999 drop all':
+ proto => 'all',
+ action => 'drop',
+ before => undef,
+ }
+ }
+
### Examples
Basic accept ICMP request example:
@@ -117,39 +196,6 @@ Creating a new rule that forwards to a chain, then adding a rule to this chain:
dport => 5000,
}
-You can make firewall rules persistent with the following iptables example:
-
- exec { "persist-firewall":
- command => $operatingsystem ? {
- "debian" => "/sbin/iptables-save > /etc/iptables/rules.v4",
- /(RedHat|CentOS)/ => "/sbin/iptables-save > /etc/sysconfig/iptables",
- }
- refreshonly => true,
- }
- Firewall {
- notify => Exec["persist-firewall"]
- }
- Firewallchain {
- notify => Exec["persist-firewall"]
- }
-
-If you wish to ensure any reject rules are executed last, try using stages.
-The following example shows the creation of a class which is where your
-last rules should run, this however should belong in a puppet module.
-
- class my_fw::drop {
- iptables { "999 drop all":
- action => "drop"
- }
- }
-
- stage { pre: before => Stage[main] }
- stage { post: require => Stage[main] }
-
- class { "my_fw::drop": stage => "post" }
-
-By placing the 'my_fw::drop' class in the post stage it will always be inserted
-last thereby avoiding locking you out before the accept rules are inserted.
### Further documentation

0 comments on commit be6d30c

Please sign in to comment.