why not generate the range syntax when port => 'start:end' is encountered in a rich rule? #163
Comments
|
Hi @kenyapcomau - are you referring to the custom_service type when declaring multiple ranges like this https://github.com/crayfishx/puppet-firewalld#parameters-3 ? |
|
Yes that's what I meant, sorry for the confusion. |
|
Hi guys, We are running into the same issue because firewalld on CentOS 7 wont parse multiple rules in the same xml file. Is there any update on this? |
|
How do you mean? I haven't checked for a while but firewalld parsed the spec fine but for something like opening up a range of VNC ports, one iptables rules was generated per port, which is unnecessary because port ranges can be specified. In the end I just created a custom service XML file until this is fixed. |
|
Hi yeah the custom xml option will work however will be a nightmare for management moving forward. |
|
I just use a puppet stanza that installs a custom XML file from the module's resources, i.e. the files/ directory. I need to override the limited 4 port range of the supplied VNC rule anyway. |
|
Firewalld was fine with the multi-port list in xml, I made some other schoolboy error. It would probably be better to generate a rule with a hyphen in where appropriate though, as per the original issue. |
|
I was using this module and a customer asked to open all TCP ports between 1024-65535. When I realized that it would generate 64 thousand lines of xml I was like 'oh no, that will not do'. |
|
Related to #176 |
Why not generate the single port element:
<port protocol="tcp" port="start-end"/>instead of lots of port elements like:
<port protocol="tcp" port="start"/>...<port protocol="tcp" port="end"/>This is what the builtin rules use and it would make the iptables rules more compact.
Thanks.
The text was updated successfully, but these errors were encountered: