Ask Your Question

puppetlabs-firewall default policy to DROP

asked 2013-08-25 05:04:53 -0600

doc75 gravatar image


I am trying to use puppetlabs-firewall to setup the default policy to DROP for INPUT, OUTPUT and FORWARD. It is working fine, but the policy is set at the beginning and not at the end. When running "puppet agent --test", I cannot see the remaining traces of puppet execution due to that. Is there a way to ensure that the firewallchain for the default policy are launched in the "my_fw::post" class ?


edit retag flag offensive close merge delete


Could you post the code example, so it's easier to understand where is the potential problem. Especially the `class my_fw::post`

golja gravatar imagegolja ( 2013-08-25 05:21:49 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2013-08-25 17:09:32 -0600

doc75 gravatar image

updated 2014-05-06 02:24:45 -0600

Hi golja,

Actually, when copy/pasting the class I guess I found my mistake. The code was like that:

class my_firewall::post {

  Firewallchain {
    ensure => present,
    policy => 'drop',

  firewallchain { 'INPUT:filter:IPv4': }
  firewallchain { 'INPUT:filter:IPv6': }
  firewallchain { 'OUTPUT:filter:IPv4': }
  firewallchain { 'OUTPUT:filter:IPv6': }
  firewallchain { 'FORWARD:filter:IPv4': }
  firewallchain { 'FORWARD:filter:IPv6': }

I guess that replacing this block:

  Firewallchain {
    ensure => present,
    policy => 'drop',

by this one might help:

  Firewallchain {
    ensure => present,
    policy => 'drop',
    before => undef,

The next problem is that during next update the default policy will be DROP and it blocks again the network during re-instanciation of rules if modified.

In order to make this work, I had to modify the code of puppetlabs-firewall to prevent autorequire for INPUT:filter:..., FORWARD:filter:..., FORWARD:filter:... The patch allow to have the default policy set at the end. You can find it in the new version of puppetlabs-firewall on github (code merged on 2013-09-13).

the class launched before any firewall rule (for more detail on global conf cf.: README)

class my_firewall::pre {
  Firewall {
    require => undef,

  # ensure that the default policy is temporarily set to ACCEPT to avoid blocking second update
  exec { 'override default policy firewall to accept':
    command => 'iptables -t filter -P INPUT ACCEPT; iptables -t filter -P FORWARD ACCEPT; iptables -t filter -P OUTPUT ACCEPT',
    path => '/sbin',
    notify => Exec['override default policy firewall to drop'],
  # Default firewall rules
  firewall { '000 accept all icmp':
    proto   => 'icmp',
    action  => 'accept',

I just added also the following code in the my_fw::pre to ensure that if all rules are changed, the connection is not blocked again (warning: during puppet update, the firewall is having ACCEPT as default rule. So if you run it often this is a security issue).

edit flag offensive delete link more


How does the exec { 'override default policy firewall to drop': } looks like and is it located in the post.pp ?

Dan M gravatar imageDan M ( 2014-05-01 12:29:09 -0600 )edit

Actually there is no exec for the drop, it is managed by the Firewallchain at the top of the post.pp (with policy 'drop'). Hope this clarifies.

doc75 gravatar imagedoc75 ( 2014-05-05 02:33:13 -0600 )edit

So, to summarize **notify => Exec['override default policy firewall to drop']** should be removed from **exec** block, right? Another point is **before => undef** - was it added or removed from the Firewallchain block?

Dan M gravatar imageDan M ( 2014-05-05 12:27:04 -0600 )edit

Sorry I edited the post wrongly. It is now fixed, the 'before => undef' has been added, otherwise the Firewallchain is set too early in the process.

doc75 gravatar imagedoc75 ( 2014-05-06 02:25:39 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2013-08-25 05:04:53 -0600

Seen: 1,557 times

Last updated: May 06 '14