Tip: Passing puppetlabs/firewall configuration through Foreman web interface

We're using the puppetlabs/firewall module and we wanted a way to pass all
of our firewall data through the Foreman web UI for ease of quickly
adding/deleting firewall rules. This is what we came up with, in case
anyone else is interested.

Created a new module: ex. custom_firewall (init.pp, pre.pp, post.pp)
init.pp:

class custom_firewall($firewall_data = false) {

include custom_firewall::pre
include custom_firewall::post
include firewall

resources { "firewall":
purge => true
}

Firewall {
before => Class['custom_firewall::post'],
require => Class['custom_firewall::pre'],
}

if $firewall_data != false {
create_resources('firewall', $firewall_data)
}

}

pre.pp ( Include any default firewall rules you want here that will load
every time regardless. ex. icmp):

class custom_firewall::pre {

Firewall {
require => undef,
}

firewall {'000 accept all icmp':
proto => 'icmp',
action => 'accept',
}

}

*post.pp *(final line of iptables):

class custom_firewall::post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}

Now, import the classes into foreman. Under the custom_firewall class, set
the $firewall_data param to yaml. At this point you can pass in any
additional firewall rules via yaml.
ex.
"007 accept tcp tomcat requests":
port:
- "8080"
- "8009"
- "8999"
proto: tcp
action: accept

Hope this helps.

Tried this and I get the following:

Jan 20 12:44:07 testserver00 puppet-agent[2431]: Could not apply complete
catalog: Found 1 dependency cycle:#012(Firewall[998 deny all requests] =>
Class[Dp_custom_firewall::Post] => Firewall[998 deny all requests])#012Try
the '–graph' option and opening the resulting '.dot' file in OmniGraffle
or GraphViz

My config is identical to yours except I add all the ports I wanted opened
into the pre.pp. Looking at the error, it seems that the require line is
causing a loop.

Any ideas. I can post my config.

Thank you very much, this helped a great deal

··· On Tuesday, November 5, 2013 6:58:47 PM UTC-6, Jack Watroba wrote: > > We're using the puppetlabs/firewall module and we wanted a way to pass all > of our firewall data through the Foreman web UI for ease of quickly > adding/deleting firewall rules. This is what we came up with, in case > anyone else is interested. > > > Created a new module: ex. custom_firewall (init.pp, pre.pp, post.pp) > *init.pp:* > > class custom_firewall($firewall_data = false) { > > include custom_firewall::pre > include custom_firewall::post > include firewall > > resources { "firewall": > purge => true > } > > Firewall { > before => Class['custom_firewall::post'], > require => Class['custom_firewall::pre'], > } > > if $firewall_data != false { > create_resources('firewall', $firewall_data) > } > > } > > > *pre.pp (* Include any default firewall rules you want here that will > load every time regardless. ex. icmp)*:* > > class custom_firewall::pre { > > Firewall { > require => undef, > } > > firewall {'000 accept all icmp': > proto => 'icmp', > action => 'accept', > } > > } > > > *post.pp *(final line of iptables): > > class custom_firewall::post { > firewall { '999 drop all': > proto => 'all', > action => 'drop', > before => undef, > } > } > > > Now, import the classes into foreman. Under the custom_firewall class, set > the $firewall_data param to yaml. At this point you can pass in any > additional firewall rules via yaml. > ex. > "007 accept tcp tomcat requests": > port: > - "8080" > - "8009" > - "8999" > proto: tcp > action: accept > > > Hope this helps. >

Confirmed. Removing:

  • Firewall {*
  • before => Class['custom_firewall::post']**,*
  • require => Class['custom_firewall::pre'],*
  • }*

Makes things work. I am posting my configs for reference:

(init.pp)

class aa_custom_firewall($firewall_data = false) {

include aa_custom_firewall::pre
include aa_custom_firewall::post
include firewall

resources {"firewall":
purge => true
}

Firewall {

before => Class['aa_custom_firewall::post'],

require => Class['aa_custom_firewall::pre'],

}

if $firewall_data != false {
create_resources('firewall', $firewall_data)
}

}

(pre.pp)

class aa_custom_firewall::pre {

Firewall {
require => undef,
}

firewall {'000 accept all icmp':
proto => 'icmp',
action => 'accept',
}

firewall {'001 accept all lo':
proto => 'all',
iniface => 'lo',
action => 'accept',
}

firewall {'002 accept all established':
proto => 'all',
state => [ "RELATED", "ESTABLISHED", ],
action => 'accept',
}

firewall {'100 accept ssh':
proto => 'tcp',
state => [ "NEW", ],
dport => '22',
action => 'accept',
}

firewall {'101 accept snmp':
proto => 'udp',
state => [ "NEW", ],
dport => '161',
action => 'accept',
}

firewall {'201 accept HTTP(S)':
proto => 'tcp',
state => [ "NEW", ],
dport => [ "80", "443", ],
action => 'accept',
}

firewall {'202 accept JBoss':
proto => 'tcp',
state => [ "NEW", ],
dport => [ "8080", "8443", ],
action => 'accept',
}

firewall {'203 accept Postgres':
proto => 'tcp',
state => [ "NEW", ],
dport => '5432',
action => 'accept',
}

}

(post.pp)
class aa_custom_firewall::post {

firewall {'998 deny all requests':
proto => 'all',
action => 'reject',
reject => 'icmp-host-prohibited',
}

firewall {'999 deny all foreward requests':
proto => 'all',
chain => 'FORWARD',
action => 'accept',
reject => 'icmp-host-prohibited',
}

}

I know this is an old thread, but following this guide, I'm getting the
following error when attempting to run puppet agent -t on the client:

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
no implicit conversion of nil into Hash at
/etc/puppet/environments/production/modules/firewall_custom/manifests/init.pp:12
on node omdapps06.mil.state.or.us
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Gist of init.pp is here:

··· On Thursday, April 17, 2014 at 12:49:46 PM UTC-7, Race Boyer wrote: > > Thank you very much, this helped a great deal > > On Tuesday, November 5, 2013 6:58:47 PM UTC-6, Jack Watroba wrote: >> >> We're using the puppetlabs/firewall module and we wanted a way to pass >> all of our firewall data through the Foreman web UI for ease of quickly >> adding/deleting firewall rules. This is what we came up with, in case >> anyone else is interested. >> >> >> Created a new module: ex. custom_firewall (init.pp, pre.pp, post.pp) >> *init.pp:* >> >> class custom_firewall($firewall_data = false) { >> >> include custom_firewall::pre >> include custom_firewall::post >> include firewall >> >> resources { "firewall": >> purge => true >> } >> >> Firewall { >> before => Class['custom_firewall::post'], >> require => Class['custom_firewall::pre'], >> } >> >> if $firewall_data != false { >> create_resources('firewall', $firewall_data) >> } >> >> } >> >> >> *pre.pp (* Include any default firewall rules you want here that will >> load every time regardless. ex. icmp)*:* >> >> class custom_firewall::pre { >> >> Firewall { >> require => undef, >> } >> >> firewall {'000 accept all icmp': >> proto => 'icmp', >> action => 'accept', >> } >> >> } >> >> >> *post.pp *(final line of iptables): >> >> class custom_firewall::post { >> firewall { '999 drop all': >> proto => 'all', >> action => 'drop', >> before => undef, >> } >> } >> >> >> Now, import the classes into foreman. Under the custom_firewall class, >> set the $firewall_data param to yaml. At this point you can pass in any >> additional firewall rules via yaml. >> ex. >> "007 accept tcp tomcat requests": >> port: >> - "8080" >> - "8009" >> - "8999" >> proto: tcp >> action: accept >> >> >> Hope this helps. >> >

Line 12 is the create_resources() call, which uses $firewall_data from
the class parameter. If that is nil, then it's likely that the parameter
isn't correctly set in Foreman.

View the ENC output (the YAML button on the host page) and ensure
firewall_data is listed below the firewall_custom class name with the
YAML representing your firewall resources/rules, else ensure it's set in
the smart class parameter in Foreman.

··· On 15/09/16 23:57, Joseph Cunningham wrote: > I know this is an old thread, but following this guide, I'm getting the > following error when attempting to run puppet agent -t on the client: > > Info: Retrieving pluginfacts > Info: Retrieving plugin > Info: Loading facts > Error: Could not retrieve catalog from remote server: Error 400 on > SERVER: no implicit conversion of nil into Hash at > /etc/puppet/environments/production/modules/firewall_custom/manifests/init.pp:12 > on node omdapps06.mil.state.or.us > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog; skipping run > > > Gist of init.pp is here: > https://gist.github.com/joeywas/d8f0d676b9ef3beb54ae0d617ef69633


Dominic Cleal
dominic@cleal.org

Dominic, that was it! The value I was using in foreman to override the
smart class parameter was not properly formatted yaml (i was missing
indents)

Thank you!

··· On Friday, September 16, 2016 at 2:15:51 AM UTC-7, Dominic Cleal wrote: > > On 15/09/16 23:57, Joseph Cunningham wrote: > > I know this is an old thread, but following this guide, I'm getting the > > following error when attempting to run puppet agent -t on the client: > > > > Info: Retrieving pluginfacts > > Info: Retrieving plugin > > Info: Loading facts > > Error: Could not retrieve catalog from remote server: Error 400 on > > SERVER: no implicit conversion of nil into Hash at > > > /etc/puppet/environments/production/modules/firewall_custom/manifests/init.pp:12 > > > on node omdapps06.mil.state.or.us > > Warning: Not using cache on failed catalog > > Error: Could not retrieve catalog; skipping run > > > > > > Gist of init.pp is here: > > https://gist.github.com/joeywas/d8f0d676b9ef3beb54ae0d617ef69633 > > Line 12 is the create_resources() call, which uses $firewall_data from > the class parameter. If that is nil, then it's likely that the parameter > isn't correctly set in Foreman. > > View the ENC output (the YAML button on the host page) and ensure > firewall_data is listed below the firewall_custom class name with the > YAML representing your firewall resources/rules, else ensure it's set in > the smart class parameter in Foreman. > > -- > Dominic Cleal > dom...@cleal.org >