[Bug 592017] New: Firewall configuration in Puppet

[sysadmin (bugzilla.gnome.org) <bugzilla gnome org>]

http://bugzilla.gnome.org/show_bug.cgi?id=592017

           Summary: Firewall configuration in Puppet
    Classification: Infrastructure
           Product: sysadmin
           Version: unspecified
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: Puppet
        AssignedTo: sysadmin-maint gnome bugs
        ReportedBy: otaylor redhat com
         QAContact: sysadmin-maint gnome bugs
      GNOME target: ---
     GNOME version: ---


--- Comment #0 from Owen Taylor <otaylor redhat com> 2009-08-16 23:07:48 UTC ---
Currently firewalls on each machine are configured by:

 - Going to the machine
 - Editing /etc/sysconfig/iptables
 - 'service iptables restart'

This means that there is no version control on the config, no peer-reviewable
trail of changes, and if we had to rebuild one of the machines from scratch,
we'd have to repeat the exercise of figuring out the rules.

The config should be managed by puppet like the rest of the config. There are
various recipes and examples of doing this out there, I don't have a particular
recommendation.

Whatever we choose should allow:

 - Global rules in our default classes (no firewall on eth1)
 - Service-specific rules (open port 80 for httpd)
 - Machine specific rules (open port 9070 for buildbot on fixed.gnome.org to
particular build slaves)

It would be nice, though not essential, if there was a defined ordering for how
those got different classes of rules got written into the final iptables
configuration so we could make machine specific rules that block as well as
allow. (E.g., only allow access to the mysql port on drawable's eth1 to a small
set of machines.)

-- 
Configure bugmail: http://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.