Ask Your Question

firewall rule for each node

asked 2014-10-16 15:30:51 -0600

yaplej gravatar image


Is there any way to create a firewall rule for each node in puppet?

firewall { '### accept puppet node': chain => 'INPUT', proto => 'tcp', state => 'NEW', source => $nodeip, dport => ['8140','61613'], action => 'accept', }

It seems like it would need to be a function rather than a typical rule.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2014-10-16 16:51:30 -0600

vmule gravatar image

you may take a look into exported resources:

something like:

class firewall { # Declare: @@firewall { '### accept puppet node': chain => 'INPUT', proto => 'tcp', state => 'NEW', source => $nodeip, dport => ['8140','61613'], action => 'accept', } # Collect: Firewall <<| |>> }

edit flag offensive delete link more


Exported resources won't work if the agents are the ones that send their IP addresses.

robrwo gravatar imagerobrwo ( 2014-10-17 08:45:15 -0600 )edit

So exported resources seem like they are what I need after trying a few things. I should be able to export a rule directly from the default node(rather than from a class). Just to make sure this works.I still dont seem to Collect any rules on my master. ""

yaplej gravatar imageyaplej ( 2014-10-25 09:11:15 -0600 )edit

I actually have this mostly working now. The only problem I seem to have is collecting resources exported by the same system. It collects other hosts exported resources just not its own. I am thinking its a bug? Here is the config.

yaplej gravatar imageyaplej ( 2014-10-25 21:14:14 -0600 )edit

answered 2014-10-17 05:10:59 -0600

robrwo gravatar image

The "easiest" way to do this is to use the future parser an run an each loop on it, but I've heard from PuppetLabs that the feature isn't yet ready for production.

The other way is to create a custom resource that implements your firewall rule, using the $name as the input:

define mynodefirewall {
  firewall { '500 accept puppet node': # should start with a number
   source => $name,
   dport => ['8140','61613'], 

and then create the resource using a list of nodes

mynodefirewall{ $nodeiplist: }

This is a common if ugly pattern.

If this weren't firewall rules to allow puppet nodes to connect to the puppetmaster, I would have suggested using virtual resources where each node declares a virtual resource with it's IP address, and the server instantiates the virtual resources. But that wouldn't work in this case, because nodes would be blocked from connecting to the puppetmaster.

But I will step back and ask why you need to do this, since nodes will not be able to connect unless approved on the puppetmaster in the first place. (Or is this because your puppetmaster on the open Internet?)

edit flag offensive delete link more


Yes, the master is on the Internet and cannot change that. So I have opted for VERY strict firewall rules. All inbound and outbound traffic is blocked. To join a new node I manually add a temp rule. After the node is joined my manual rule will be removed and the puppet rule replace it.

yaplej gravatar imageyaplej ( 2014-10-17 20:40:57 -0600 )edit

I think the virtual resource idea might be the way to go. I can add my temporary rule for adding the node and once the node is joined the virtual resource rule would replace it. Am I reading into what your saying correct?

yaplej gravatar imageyaplej ( 2014-10-17 20:46:17 -0600 )edit

That can work, *but* firewall will wipe out the rules and re-add them in each run, which could knock off your nodes if they happen to be talking to the puppetmaster. I think you're better off adding them into hiera.

robrwo gravatar imagerobrwo ( 2014-10-20 11:35:17 -0600 )edit

Is that because virtual resources get run each time? My rules are not getting modified each time right now and I have a bunch of them defined on my puppet master node. Im still not clear on where how to define them as virtual and have them applied to the puppet master.

yaplej gravatar imageyaplej ( 2014-10-24 20:54:29 -0600 )edit

I *think* that something should be defined/declared on the default node and then implemented/realized on the puppet master so it will generate all the firewall rules.

yaplej gravatar imageyaplej ( 2014-10-24 22:44:24 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2014-10-16 15:30:51 -0600

Seen: 421 times

Last updated: Oct 17 '14