tedivm
commented
9 years ago You should poke the "puppet/firewall" module developers and ask for this feature there. If they add support for it then it'll automatically get picked up here.
Closed Wildcarde closed 9 years ago
tedivm
commented
9 years ago You should poke the "puppet/firewall" module developers and ask for this feature there. If they add support for it then it'll automatically get picked up here.
tedivm
commented
9 years ago In fact there's a ticket already opened for this on their bug tracker. I'd suggest poking them and letting them know you're interested in it.
Wildcarde
commented
9 years ago Sounds good, I'll +1 the request.
Wildcarde
commented
9 years ago I don't want to reopen this issue but do you have any idea how hieratic firewall management will meld with something like garthr-docker (https://github.com/garethr/garethr-docker) which has to make adjustments to iptables to make docker work as desired?
tedivm
commented
9 years ago It's really going to depend on what those modifications are, but generally speaking I don't see why they would interfere with each other.
It would be great from a typing / code sprawl perspective to be able to supply an array for the 'source:' flag of an iptables rule and have the package expand that to a set of rules one for each source entry. Instead of having to to duplicate the entry for each network source so instead of:
'069 accept tftp requests on specified interfaces - RedNet UDP': chain: 'INPUT' source: '10.0.16.0/20' proto: 'udp' dport: '69' action: 'accept'
'069 accept tftp requests on specified interfaces - BlueNet UDP': chain: 'INPUT' source: '10.2.144.0/20' proto: 'udp' dport: '69' action: 'accept'
You would just have: '069 accept tftp requests on specified interfaces': chain: 'INPUT' source:
Even more typing could be eliminated by allowing an array for the protocol and dport entries as well but the main stumbling block I've hit is the source entries so far.