Ask Your Question

puppet firewall and puppet agent -t, does the firewall go "down" (empty) for a bit?

asked 2015-05-07 11:41:51 -0600

cjcox gravatar image

When using the puppetlabs firewall module in puppet 3, as an agent node does a "puppet agent -t", does the firewall actually open up for a split second? Will the normal batch checks on the agents also have this behavior for a config change that really doesn't involve the firewall? I'd like it if the when a new (regular) rule (for example) to open up a port was merely done and added in rather than any kind of "purge" or "stop" of any kind. Maybe it doesn't "purge" anything or "stop" anything. I guess I need some assurance of how the module works. Any details anywhere? Not talking about using the module, but what happens underneath the covers.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2015-05-08 07:14:31 -0600

rnelson0 gravatar image

Under the covers: You didn't specify your OS version, so I chose Red Hat Enterprise Linux family. The service is managed at in firewall::linux::redhat. There are utilities associated with the provider that describe the method for saving the firewall rules. The arguments provided to iptables are shown here. There's much more in the guts of the provider to explore, most of it is honestly beyond me but I get the general gist of it. In particular, the insert_args method uses -I and a rule number to place the rule in the proper spot. Once the firewall rules are purged up front (assuming you have that set), future edits should only be performed in-place without removing the existing policy first.

Anecdotal answer: I have seen the firewall 'hang' on initial provisioning, sometimes to the extent that I need two runs to finish provisioning (on the first run sometimes it appears the network is blocked as yum fails to download any cache elements). I haven't been able to determine a pattern and it's such an edge case that it's not really worth my effort. After provisioning, I've only see the firewall affected when rules are changed, but never by removing the policy or stopping the service. It does happen pretty quick, though, I've never hammered on it, but if there were an issue I suspect it would be related to iptables's own ability to insert rules rather than the puppetlabs-firewall module.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-05-07 11:41:51 -0600

Seen: 144 times

Last updated: May 08 '15