Found a couple of issues that I fixed as I was reviewing and pushed
directly as they were relatively minor/straight forward changes (and we
are right up against time).
Feel free and provide further patches if that seems correct.
Thanks,
Mike
On 04/01/2011 11:28 AM, Mohammed Morsi wrote:
---
recipes/aeolus_recipe/manifests/aeolus.pp | 2 -
recipes/aeolus_recipe/manifests/conductor.pp | 5 -
recipes/firewall/README | 1 -
.../firewall/files/chain_rules/filter/FORWARD.head | 1 -
.../firewall/files/chain_rules/filter/FORWARD.tail | 1 -
.../firewall/files/chain_rules/filter/INPUT.head | 9 -
.../firewall/files/chain_rules/filter/INPUT.tail | 5 -
.../firewall/files/chain_rules/filter/OUTPUT.head | 1 -
.../firewall/files/chain_rules/filter/OUTPUT.tail | 1 -
.../firewall/files/chain_rules/mangle/FORWARD.head | 1 -
.../firewall/files/chain_rules/mangle/FORWARD.tail | 1 -
.../firewall/files/chain_rules/mangle/INPUT.head | 1 -
.../firewall/files/chain_rules/mangle/INPUT.tail | 1 -
.../files/chain_rules/mangle/POSTROUTING.head | 1 -
.../files/chain_rules/mangle/POSTROUTING.tail | 1 -
recipes/firewall/files/chain_rules/nat/OUTPUT.head | 1 -
recipes/firewall/files/chain_rules/nat/OUTPUT.tail | 1 -
.../files/chain_rules/nat/POSTROUTING.head | 1 -
.../files/chain_rules/nat/POSTROUTING.tail | 1 -
.../firewall/files/chain_rules/nat/PREROUTING.head | 1 -
.../firewall/files/chain_rules/nat/PREROUTING.tail | 1 -
recipes/firewall/files/chain_rules/raw/OUTPUT.head | 1 -
recipes/firewall/files/chain_rules/raw/OUTPUT.tail | 1 -
.../firewall/files/chain_rules/raw/PREROUTING.head | 1 -
.../firewall/files/chain_rules/raw/PREROUTING.tail | 1 -
recipes/firewall/files/iptables-update.sh | 199 --------------------
recipes/firewall/manifests/defines.pp | 77 --------
recipes/firewall/manifests/init.pp | 102 ----------
recipes/firewall/templates/rule.erb | 70 -------
29 files changed, 0 insertions(+), 490 deletions(-)
delete mode 100644 recipes/firewall/README
delete mode 100644 recipes/firewall/files/chain_rules/filter/FORWARD.head
delete mode 100644 recipes/firewall/files/chain_rules/filter/FORWARD.tail
delete mode 100644 recipes/firewall/files/chain_rules/filter/INPUT.head
delete mode 100644 recipes/firewall/files/chain_rules/filter/INPUT.tail
delete mode 100644 recipes/firewall/files/chain_rules/filter/OUTPUT.head
delete mode 100644 recipes/firewall/files/chain_rules/filter/OUTPUT.tail
delete mode 100644 recipes/firewall/files/chain_rules/mangle/FORWARD.head
delete mode 100644 recipes/firewall/files/chain_rules/mangle/FORWARD.tail
delete mode 100644 recipes/firewall/files/chain_rules/mangle/INPUT.head
delete mode 100644 recipes/firewall/files/chain_rules/mangle/INPUT.tail
delete mode 100644 recipes/firewall/files/chain_rules/mangle/POSTROUTING.head
delete mode 100644 recipes/firewall/files/chain_rules/mangle/POSTROUTING.tail
delete mode 100644 recipes/firewall/files/chain_rules/nat/OUTPUT.head
delete mode 100644 recipes/firewall/files/chain_rules/nat/OUTPUT.tail
delete mode 100644 recipes/firewall/files/chain_rules/nat/POSTROUTING.head
delete mode 100644 recipes/firewall/files/chain_rules/nat/POSTROUTING.tail
delete mode 100644 recipes/firewall/files/chain_rules/nat/PREROUTING.head
delete mode 100644 recipes/firewall/files/chain_rules/nat/PREROUTING.tail
delete mode 100644 recipes/firewall/files/chain_rules/raw/OUTPUT.head
delete mode 100644 recipes/firewall/files/chain_rules/raw/OUTPUT.tail
delete mode 100644 recipes/firewall/files/chain_rules/raw/PREROUTING.head
delete mode 100644 recipes/firewall/files/chain_rules/raw/PREROUTING.tail
delete mode 100644 recipes/firewall/files/iptables-update.sh
delete mode 100644 recipes/firewall/manifests/defines.pp
delete mode 100644 recipes/firewall/manifests/init.pp
delete mode 100644 recipes/firewall/templates/rule.erb
diff --git a/recipes/aeolus_recipe/manifests/aeolus.pp
b/recipes/aeolus_recipe/manifests/aeolus.pp
index a7496db..fec4265 100644
--- a/recipes/aeolus_recipe/manifests/aeolus.pp
+++ b/recipes/aeolus_recipe/manifests/aeolus.pp
@@ -1,7 +1,5 @@
# Aeolus puppet definitions
-import "firewall"
-
import "postgres"
import "apache"
import "rails"
diff --git a/recipes/aeolus_recipe/manifests/conductor.pp
b/recipes/aeolus_recipe/manifests/conductor.pp
index 1d43ce8..cd2934a 100644
--- a/recipes/aeolus_recipe/manifests/conductor.pp
+++ b/recipes/aeolus_recipe/manifests/conductor.pp
@@ -20,11 +20,6 @@ class aeolus::conductor inherits aeolus {
### Setup selinux for deltacloud
selinux::mode{"permissive":}
- ### Setup firewall for deltacloud
- firewall::rule{"http": destination_port => '80' }
- firewall::rule{"https": destination_port => '443'}
- firewall::rule{"ssh": destination_port => '22'}
-
### Start the aeolus services
file {"/var/lib/condor/condor_config.local":
source =>
"puppet:///modules/aeolus_recipe/condor_config.local",
diff --git a/recipes/firewall/README b/recipes/firewall/README
deleted file mode 100644
index 5fb3acc..0000000
--- a/recipes/firewall/README
+++ /dev/null
@@ -1 +0,0 @@
-Module documentation for firewall
diff --git a/recipes/firewall/files/chain_rules/filter/FORWARD.head
b/recipes/firewall/files/chain_rules/filter/FORWARD.head
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/filter/FORWARD.head
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/filter/FORWARD.tail
b/recipes/firewall/files/chain_rules/filter/FORWARD.tail
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/filter/FORWARD.tail
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/filter/INPUT.head
b/recipes/firewall/files/chain_rules/filter/INPUT.head
deleted file mode 100644
index ca7bbed..0000000
--- a/recipes/firewall/files/chain_rules/filter/INPUT.head
+++ /dev/null
@@ -1,9 +0,0 @@
-# INPUT.head
--P INPUT ACCEPT
-#-i lo -m comment --comment "localhost access" -j ACCEPT
--i lo -j ACCEPT
-#-m state --state RELATED,ESTABLISHED -m comment --comment "All
established/related" -j ACCEPT
--m state --state RELATED,ESTABLISHED -j ACCEPT
-# -p icmp -m comment --comment "allow icmp/ping traffic" -j ACCEPT
--p icmp -j ACCEPT
-
diff --git a/recipes/firewall/files/chain_rules/filter/INPUT.tail
b/recipes/firewall/files/chain_rules/filter/INPUT.tail
deleted file mode 100644
index 1c983ec..0000000
--- a/recipes/firewall/files/chain_rules/filter/INPUT.tail
+++ /dev/null
@@ -1,5 +0,0 @@
-# INPUT.tail
-# -m comment --comment "Logging" -m limit --limit 3/minute -j LOG --log-prefix
"[IPTABLES] INPUT : "
--m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] INPUT : "
-
--j REJECT
diff --git a/recipes/firewall/files/chain_rules/filter/OUTPUT.head
b/recipes/firewall/files/chain_rules/filter/OUTPUT.head
deleted file mode 100644
index 4c40843..0000000
--- a/recipes/firewall/files/chain_rules/filter/OUTPUT.head
+++ /dev/null
@@ -1 +0,0 @@
-# OUTPUT.head
diff --git a/recipes/firewall/files/chain_rules/filter/OUTPUT.tail
b/recipes/firewall/files/chain_rules/filter/OUTPUT.tail
deleted file mode 100644
index 9effd41..0000000
--- a/recipes/firewall/files/chain_rules/filter/OUTPUT.tail
+++ /dev/null
@@ -1 +0,0 @@
-# OUTPUT.tail
diff --git a/recipes/firewall/files/chain_rules/mangle/FORWARD.head
b/recipes/firewall/files/chain_rules/mangle/FORWARD.head
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/mangle/FORWARD.head
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/mangle/FORWARD.tail
b/recipes/firewall/files/chain_rules/mangle/FORWARD.tail
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/mangle/FORWARD.tail
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/mangle/INPUT.head
b/recipes/firewall/files/chain_rules/mangle/INPUT.head
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/mangle/INPUT.head
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/mangle/INPUT.tail
b/recipes/firewall/files/chain_rules/mangle/INPUT.tail
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/mangle/INPUT.tail
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/mangle/POSTROUTING.head
b/recipes/firewall/files/chain_rules/mangle/POSTROUTING.head
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/mangle/POSTROUTING.head
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/mangle/POSTROUTING.tail
b/recipes/firewall/files/chain_rules/mangle/POSTROUTING.tail
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/mangle/POSTROUTING.tail
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/nat/OUTPUT.head
b/recipes/firewall/files/chain_rules/nat/OUTPUT.head
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/nat/OUTPUT.head
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/nat/OUTPUT.tail
b/recipes/firewall/files/chain_rules/nat/OUTPUT.tail
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/nat/OUTPUT.tail
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/nat/POSTROUTING.head
b/recipes/firewall/files/chain_rules/nat/POSTROUTING.head
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/nat/POSTROUTING.head
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/nat/POSTROUTING.tail
b/recipes/firewall/files/chain_rules/nat/POSTROUTING.tail
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/nat/POSTROUTING.tail
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/nat/PREROUTING.head
b/recipes/firewall/files/chain_rules/nat/PREROUTING.head
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/nat/PREROUTING.head
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/nat/PREROUTING.tail
b/recipes/firewall/files/chain_rules/nat/PREROUTING.tail
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/nat/PREROUTING.tail
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/raw/OUTPUT.head
b/recipes/firewall/files/chain_rules/raw/OUTPUT.head
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/raw/OUTPUT.head
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/raw/OUTPUT.tail
b/recipes/firewall/files/chain_rules/raw/OUTPUT.tail
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/raw/OUTPUT.tail
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/raw/PREROUTING.head
b/recipes/firewall/files/chain_rules/raw/PREROUTING.head
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/raw/PREROUTING.head
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/chain_rules/raw/PREROUTING.tail
b/recipes/firewall/files/chain_rules/raw/PREROUTING.tail
deleted file mode 100644
index 1bb8bf6..0000000
--- a/recipes/firewall/files/chain_rules/raw/PREROUTING.tail
+++ /dev/null
@@ -1 +0,0 @@
-# empty
diff --git a/recipes/firewall/files/iptables-update.sh
b/recipes/firewall/files/iptables-update.sh
deleted file mode 100644
index 3911548..0000000
--- a/recipes/firewall/files/iptables-update.sh
+++ /dev/null
@@ -1,199 +0,0 @@
-#!/bin/bash
-
-firewallDir="/usr/share/firewall"
-
-# firewallDir contains a directory for each table (filter, nat, mangle)
-# - each table dir contains a dir for each chain in that table
-# - each chain dir has link files that are iptables snippets
-# - each table dir can contain a CHAIN.head file, which goes in front of the chain
-# - each table dir can contain a CHAIN.tail file, which goes in back of the chain
-# and should set default policy
-#
-# Example firewallDir layout
-# filter
-# INPUT
-# ftp
-# http
-# smb
-# INPUT.head
-# INPUT.tail
-# OUTPUT
-# OUTPUT.head
-# FORWARD
-# nat
-# PREROUTING
-#
-# Any chains not in this tree will be removed from the running config
-
-#oldTable=$(mktemp oldTable.XXXXXX)
-#currentTable=$(mktemp currTable.XXXXXX)
-if [ "$1" == 'DEBUG' ]; then
- DEBUG=1
-else
- DEBUG=0
-fi
-IPTABLES="/sbin/iptables"
-
-# iptables wrapper
-function ipt {
-
- if [ "$DEBUG" -eq 1 ]; then
- echo "DEBUG: running $IPTABLES $@"
- eval $IPTABLES $@
- else
- eval $IPTABLES $@ 2>/dev/null
- fi
-
- retVal="$?"
- return $retVal
-}
-
-function insertEntry {
- table="$1"
- chain="$2"
- entryNum="$3"
- shift; shift; shift
- ENTRY="$@"
-
- # Remove the -A if it's there, we already know the table and chain
- # This will make it easier to create the files, as you can just copy/paste
- # from an iptables-save
- ENTRY=$(echo $ENTRY | sed 's/^-A [0-9a-zA-Z-]* //')
-
- # Insert at the enegrep -v '^([[:space:]]*#|[[:space:]]*$)'d of the new
section
- if echo "$ENTRY" | grep -q '^-P'; then
- ipt -t $table $ENTRY
- else
- ipt -t $table -I $chain $entryNum $ENTRY
- fi
-}
-
-function removeComments {
- filename="$1"
- egrep -v '^([[:space:]]*#|[[:space:]]*$)' $filename 2>/dev/null
-}
-
-
-# write out the current firewall
-#iptables-save> $oldTable
-
-# Set up all the tables in advance.
-pushd ${firewallDir}> /dev/null
-for table in *; do
- # A particular table
- if [ -d "$table" ]; then
- pushd "$table"> /dev/null
- for chain in *; do
- if [ ! -d "$chain" ]; then
- # Only directories are valid chains
- continue
- fi
-
- #create the table
- ipt -t $table -N $chain 2> /dev/null
- done
- popd> /dev/null
- fi
-done
-popd> /dev/null
-
-# Put the iptables pieces into the full layout of the table
-pushd ${firewallDir}> /dev/null
-for table in *; do
- if [ -d "$table" ]; then
- pushd "$table"> /dev/null
- for chain in *; do
- if [ ! -d "$chain" ]; then
- # Only directories are valid chains
- continue
- fi
-
- echo "Working on chain $chain in table $table"
- numEntries=0
-
- echo "Adding rules to chain $chain in table $table"
- if [ -f "${chain}.head" ]; then
- # The head of the firewall goes in first.
- while read ENTRY; do
- if echo "$ENTRY" | grep -qv '^-P'; then
- let numEntries="$numEntries + 1"
- fi
- insertEntry $table $chain $numEntries $ENTRY
- done< <( removeComments "${chain}.head" )
- fi
-
- # go into the chain, add all the link files to the firewall
- pushd $chain> /dev/null
- for link in *; do
- while read ENTRY; do
- if echo "$ENTRY" | grep -qv '^-P'; then
- let numEntries="$numEntries + 1"
- fi
- insertEntry $table $chain $numEntries $ENTRY
- done< <( removeComments "$link" )
- done
- popd> /dev/null
-
- if [ -f "$chain.tail" ]; then
- # The tail of the firewall goes in last.
- while read ENTRY; do
- if echo "$ENTRY" | grep -qv '^-P'; then
- let numEntries="$numEntries + 1"
- fi
-
- insertEntry $table $chain $numEntries $ENTRY
- done< <( removeComments "${chain}.tail" )
- fi
-
- # flush out the old rules from this chain
- echo "Cleaning chain $chain in table $table..."
- let oldEntry="$numEntries + 1"
- while ipt -t $table -D $chain $oldEntry; do
- echo -en "."
- done
- echo -en "\n"
- done
- popd> /dev/null
- fi
-done
-popd> /dev/null
-
-# Delete all rules from the chains that shouldn't be there
-pushd ${firewallDir}> /dev/null
-for table in *; do
- pushd "$table"> /dev/null> /dev/null
- for chain in $(iptables-save | sed -n '/^\*'$table'/,/^\*/p' | grep
'^:' | cut -d' ' -f1 | sed 's/://'); do
- if [ ! -d "$chain" ]; then
- # Flush the chain
- echo "Flushing rules from chain $chain in table $table"
- ipt -t $table -F $chain
- fi
- done
- popd> /dev/null
-done
-popd> /dev/null
-
-# delete the chains that shouldn't be there
-pushd ${firewallDir}> /dev/null
-for table in filter nat mangle; do
- if [ ! -d "$table" ]; then
- # This table isn't used, clear it
- ipt -t $table -F
- ipt -t $table -X
- else
-
- pushd "$table"> /dev/null
- for chain in $(iptables-save | sed -n '/^\*'$table'/,/^\*/p' | grep
'^:' | cut -d' ' -f1 | sed 's/://'); do
- if [ "$chain" == "FORWARD" ]; then
- continue
- fi
- if [ ! -d "$chain" ]; then
- # Delete the chain
- echo "Deleting chain $chain from table $table"
- ipt -t $table -P $chain ACCEPT
- ipt -t $table -X $chain
- fi
- done
- popd> /dev/null
- fi
-done
diff --git a/recipes/firewall/manifests/defines.pp
b/recipes/firewall/manifests/defines.pp
deleted file mode 100644
index 871f357..0000000
--- a/recipes/firewall/manifests/defines.pp
+++ /dev/null
@@ -1,77 +0,0 @@
-# usage
-# firewall::rule { 'rulename':
-# chain => "INPUT",
-# table => "filter",
-# source_port => 123423,
-# destination_port => 22,
-# destination =>
foo.com,
-# source =>
bar.com,
-# to_ports => "443"
-# action => ACCEPT
-# }
-define firewall::rule (
- $chain = 'INPUT',
- $table = 'filter',
- $comment = '',
- $protocol = 'tcp',
- $source_port = '',
- $destination_port = '',
- $source = '',
- $destination = '',
- $to_ports = '',
- $to_destination = '',
- $modules = [],
- $destination_range = '',
- $not_physdev_bridged = '',
- $source_range = '',
- $out_interface = '',
- $in_interface = '',
- $uid_owner = '',
- $reject_with = '',
- $log_prefix = '',
- $state = '',
- $every = '',
- $mode = '',
- $action = 'ACCEPT'
- ) {
-
- include firewall
-
- $table_path = "${firewall::firewall_dir}/${table}"
- $chain_path = "${firewall::firewall_dir}/${table}/${chain}"
-
- if defined(File["${chain_path}"]) {
- # do nothing
- $trash = ''
- } else {
- file { "${chain_path}":
- ensure => directory,
- purge => true,
- recurse => true,
- require => File["${table_path}"],
- }
- }
-
- $link_path = "$firewall::firewall_dir/${table}/${chain}/${name}"
-
- file { "${link_path}":
- content => template("firewall/rule.erb"),
- notify => Service["firewall"],
- }
-}
-
-define firewall::rule::stub () {
- file {
- "${name}.head":
- name => "${firewall_dir}/${name}.head",
- mode => 0700,
- source => "puppet:///modules/firewall/chain_rules/${name}.head",
- ;
- "${name}.tail":
- name => "${firewall_dir}/${name}.tail",
- mode => 0700,
- source => "puppet:///modules/firewall/chain_rules/${name}.tail",
- ;
- }
-}
-
diff --git a/recipes/firewall/manifests/init.pp b/recipes/firewall/manifests/init.pp
deleted file mode 100644
index c38abc3..0000000
--- a/recipes/firewall/manifests/init.pp
+++ /dev/null
@@ -1,102 +0,0 @@
-import "defines.pp"
-
-class firewall {
-
- $firewall_dir = "/usr/share/firewall"
- package { "iptables":
- ensure => installed,
- }
-
- service { "firewall":
- name => "iptables",
- enable => true,
- hasstatus => true,
- require => [ Package["iptables"],
File["iptables-update"] ],
- restart => "/usr/local/bin/iptables-update.sh",
- }
-
- # the reload script (thanks rmonk)
- file { "iptables-update":
- name => "/usr/local/bin/iptables-update.sh",
- mode => 0755,
- source => "puppet:///modules/firewall/iptables-update.sh",
- }
-
- file { "${firewall_dir}":
- ensure => directory,
- mode => 0755,
- }
-
- # create the table directories
- file {
- [
- "${firewall_dir}/filter",
- "${firewall_dir}/filter/INPUT",
- "${firewall_dir}/filter/OUTPUT",
- "${firewall_dir}/filter/FORWARD",
- "${firewall_dir}/nat",
- "${firewall_dir}/nat/PREROUTING",
- "${firewall_dir}/nat/OUTPUT",
- "${firewall_dir}/nat/POSTROUTING",
- "${firewall_dir}/mangle",
- "${firewall_dir}/mangle/FORWARD",
- "${firewall_dir}/mangle/POSTROUTING",
- "${firewall_dir}/mangle/INPUT",
- "${firewall_dir}/raw",
- "${firewall_dir}/raw/PREROUTING",
- "${firewall_dir}/raw/OUTPUT"
- ]:
- ensure => directory,
- notify => Service["firewall"],
- require => File["${firewall_dir}"],
- mode => 0755,
- }
-
- # create the head/tail files -- we tried a recursive resource here but it failed.
- $wrapper_rules = [
- 'filter/INPUT',
- 'filter/OUTPUT',
- 'filter/FORWARD',
- 'nat/PREROUTING',
- 'nat/POSTROUTING',
- 'nat/OUTPUT',
- 'mangle/FORWARD',
- 'mangle/INPUT',
- 'mangle/POSTROUTING',
- 'raw/PREROUTING',
- 'raw/OUTPUT'
- ]
-
- firewall::rule::stub { $wrapper_rules:
- notify => Service["firewall"],
- require => File["${firewall_dir}"],
- }
-
- # relevent execs
- exec { "reload-firewall":
- command => "/usr/local/bin/iptables-update.sh",
- require => File["iptables-update"],
- refreshonly => true,
- }
-}
-
-class firewall::disabled inherits firewall {
- Service["firewall"] {
- ensure => stopped,
- enable => false,
- }
-}
-
-class firewall::ckmtest inherits firewall {
-
- firewall::rule { "NAT":
- table => 'nat',
- chain => 'PREROUTING',
- protocol => 'tcp',
- destination_port => '8443',
- action => 'REDIRECT',
- to_ports => "443",
- comment => "nat rule",
- }
-}
-
diff --git a/recipes/firewall/templates/rule.erb b/recipes/firewall/templates/rule.erb
deleted file mode 100644
index c3ae3f8..0000000
--- a/recipes/firewall/templates/rule.erb
+++ /dev/null
@@ -1,70 +0,0 @@
-<% unless protocol.empty? -%>
--p<%= protocol + " " -%>
-<% end -%>
-<% for m in modules -%>
--m<%= m + " " -%>
-<% end -%>
-<% unless destination_range.empty? -%>
---dst-range<%= destination_range + " " -%>
-<% end -%>
-<% unless source_range.empty? -%>
---src-range<%= source_range + " " -%>
-<% end -%>
-<% unless out_interface.empty? -%>
---out-interface<%= out_interface + " " -%>
-<% end -%>
-<% unless in_interface.empty? -%>
---in-interface<%= in_interface + " " -%>
-<% end -%>
-<% unless source.empty? -%>
---source<%= source + " " -%>
-<% end -%>
-<% unless uid_owner.empty? -%>
---uid-owner<%= uid_owner + " " -%>
-<% end -%>
-<% unless state.empty? -%>
---state<%= state + " " -%>
-<% end -%>
-<% unless mode.empty? -%>
---mode<%= mode + " " -%>
-<% end -%>
-<% unless not_physdev_bridged.empty? -%>
-! --physdev-is-bridged
-<% end -%>
-<% unless every.empty? -%>
---every<%= every + " " -%>
-<% end -%>
-<% unless destination.empty? -%>
---destination<%= destination + " " -%>
-<% end -%>
-<% unless destination_port.empty? -%>
-<% if destination_port =~ /:|,/ -%>
--m multiport --destination-ports<%= destination_port + " " -%>
-<% else -%>
---destination-port<%= destination_port + " " -%>
-<% end -%>
-<% end -%>
-<% unless source_port.empty? -%>
-<% if source_port =~ /:|,/ -%>
--m multiport --source-ports<%= source_port + " " -%>
-<% else -%>
---source-port<%= source_port + " " -%>
-<% end -%>
-<% end -%>
-<% if operatingsystemrelease == '5' -%>
--m comment --comment "<%= comment -%>"<%= " " -%>
-<% end -%>
--j<%= action -%>
-<% unless to_ports.empty? -%>
- --to-ports<%= to_ports + " " -%>
-<% end -%>
-<% unless to_destination.empty? -%>
- --to-destination<%= to_destination + " " -%>
-<% end -%>
-<% unless log_prefix.empty? -%>
---log-prefix<%= log_prefix + " " -%>
-<% end -%>
-<% unless reject_with.empty? -%>
---reject-with<%= reject_with + " " -%>
-<% end -%>
-<%# keep at end %>