Couple of questions about nftables module and nftables; • nftables:rules:puppet only sets up incoming traffic - when I run puppet agent -t on the box it connects out to the puppet servers (and fails because nft blocks the connection). I’m trying to understand when / why puppet would connect in to the host (is it something to do with Choria ?). Also why doesnt the rule also configure an outbound connection rule as that seems to be required • I’m trying to figure out how to add a general rule to configure logging of all connections - I found a page that suggests using “nft add rule filter input log” but I dont understand how to configure that via the puppet module. • Additionally I’d like to be able to add a rule (as an alternative to logging everything) which logs dropped / rejected connections in to the host as a ‘catch all’ at the end of all the input rules - I tried for ssh to use nftables::rule (content ‘tcp dport 22 log’) - but it doesn’t seem to be working as expected. • We’re trying to lock down access to ssh to specific IPs / Subnets - but then open everything else (as if the firewall were not present) - I created a rule using nftables::rule (content ‘tcp dport {1-65535} accept’) which seems to work but it seems a bit of a crazy fix and wondered if there was a more elegant way to set this up.

This message was deleted.

nftables::rules::out::puppet

can be used on puppet agents to allow outgoing connections to a puppetserver

ta-dah! https://github.com/puppetlabs/puppetlabs-stdlib/pull/1377

Zhenech: foreman-packaging has some odd dependencies that I try to find :D

huh?

installed git-annex, packaged gem2rpm and compiled rpmdevtools so far :D

well, tried to compile

stop using arch? :)

pah!

Zhenech: https://github.com/theforeman/foreman-packaging/pull/9516

when that's accepted I cherry-pick into the rpm/3.6 and rpm/3.7 branches and redo everytrhing for deb?

nice

ignore rpm-copr

lets see what the "rpm" test says

but the specs don't look crazy

git annex whereis /home/jenkins/workspace/foreman-packaging-rpm-pr-test/packages/plugins//rubygem-smart_proxy_hdm/smart_proxy_hdm-0.1.0.gem 2>/dev/null | grep -q "web:"

what is it expecting here

it just checks whether it is already defined

ah

mhm

drop that < 7 and it will build

and then you go and do smth like https://github.com/theforeman/foreman_ansible/commit/4fabaf9db9296c0dfcd84b575031018968d5ff2a to the hdm repo for the next release so it won't come back

mhm where do I have a foreman dependency in my gems

ah actually the package.json

it's always nodejs

Zhenech: like so? https://github.com/betadots/foreman_hdm/pull/14

my nodejs knowledge is at the level of two pieces of bread