GNOME Bugzilla – Bug 592017
Firewall configuration in Puppet
Last modified: 2013-05-28 12:33:45 UTC
Currently firewalls on each machine are configured by: - Going to the machine - Editing /etc/sysconfig/iptables - 'service iptables restart' This means that there is no version control on the config, no peer-reviewable trail of changes, and if we had to rebuild one of the machines from scratch, we'd have to repeat the exercise of figuring out the rules. The config should be managed by puppet like the rest of the config. There are various recipes and examples of doing this out there, I don't have a particular recommendation. Whatever we choose should allow: - Global rules in our default classes (no firewall on eth1) - Service-specific rules (open port 80 for httpd) - Machine specific rules (open port 9070 for buildbot on fixed.gnome.org to particular build slaves) It would be nice, though not essential, if there was a defined ordering for how those got different classes of rules got written into the final iptables configuration so we could make machine specific rules that block as well as allow. (E.g., only allow access to the mysql port on drawable's eth1 to a small set of machines.)
I'd like to tackle this. For starters I think simply importing the existing rules into puppet on a per-host basis would be simple enough. This way we at least get the revision control and the peer-review. Nothing complicated, just a case statement per host and an application of the appropriate file/. After that is done we can look at global rules, etc.
submitted module to infrastructure list for review.
An iptables class has been introduced into Puppet already. Look into puppet/modules/iptables.