alvagante
commented
11 years ago What is the ipfilter module that would would with iptables::rule ? IS it really necessary to change the default values of the firewall define?
Closed janorn closed 11 years ago
alvagante
commented
11 years ago What is the ipfilter module that would would with iptables::rule ? IS it really necessary to change the default values of the firewall define?
janorn
commented
11 years ago As it is now the firewall module overwrites the default values for both the iptables module and the ipfilters module. Why does the iptables::rule have these then?
$source = '0/0', $source_v6 = '0/0', $destination = '0/0', $destination_v6 = '0/0',
I need to rewrite the ipfilters module otherwise to manage an empty but not undef source/destination. Seems a bit strange. I mean why bother having defaults at all then?
alvagante
commented
11 years ago Well, you might use the iptables module without the firewall one... In any case, going to verifiy if there're some backwards imcompatibility. When you are confident that the ipfilter module is stable I would like to add it to the modules' set. Aslo I wonder if it makes sense to add, in the friewall module, the reference to the iptables/ipfilter modules only for the correct operating system. (It makes no sense to add ipfilter rules on a Linux machine, even if firewall_tool contains ipfilter)
janorn
commented
11 years ago I changed some more in the firewall module. My belief is that as both underlying modules default to tcp I suggest that the wrapper do this as well. This in it self makes the check for a protocol when there is a port assigned unnecessary.
Perhaps it needs to be documented that protocol => '' equals all protocols. Or we need to add some more case statements either in firewall or in iptables and ipfilter modules.
all | any => '',
Or similar.
janorn
commented
11 years ago I rewrote my earlier patches. Now it uses case and also makes a smart choice if no tool has been selected.
alvagante
commented
11 years ago I'm tempted to add https://github.com/janorn/puppet-ipfilter to the nextgen repo and accept this PR... have you tested widely enough the ipfilter module and its integration with the firewall one? I've no Solaris setups where to test this decently
janorn
commented
11 years ago We use it in production... no issues so far.
alvagante
commented
11 years ago Closing the PR, going to accept only fixes for nextgen modules. New features have to go to 3.x modules. For details give a look to the last comments in https://github.com/example42/puppet-puppet/pull/62 Sorry for late feedback on this, looking forward to introduce ipfilter support on the new firewall module.
https://github.com/janorn/puppet-ipfilter