first stab at making the rules appear without doing anything

Signed-off-by: Stephen Gran <steve@lobefin.net>

diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp
index bed7a84b7305791de39fdf549401eefa6d8ef16a..9ff8c854224fdb88db164431debdac4efae22f81 100644 (file)
--- a/modules/debian-org/manifests/init.pp
+++ b/modules/debian-org/manifests/init.pp
@@ -17,6 +17,24 @@ define set_alternatives($linkto) {
 
 
 class debian-org {
+   ferm::rule { "dsa-ssh":
+           description     => "Allow SSH from DSA",
+           rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }"
+   }
+   ferm::rule { "dsa-ssh-v6":
+           description     => "Allow SSH from DSA",
+           domain          => "ip6",
+           rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_V6_SOURCES) ACCEPT; }"
+   }
+   ferm::rule { "dsa-munin":
+           description     => "Allow munin from munin master",
+           rule            => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN) ACCEPT; }"
+   }
+   ferm::rule { "dsa-nagios":
+           description     => "Allow nrpe from nagios master",
+           rule            => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS) ACCEPT; }"
+   }
+
    package { "userdir-ldap": ensure => installed;
              "zsh": ensure => installed;
              "cron": ensure => installed;

diff --git a/modules/ferm/manifests/real.pp b/modules/ferm/manifests/real.pp
index f891c9273e1b60b7b9cf0072e603cd121194ede9..e3a1a0fa7c62a400f705e9a19ba98bab2b1552d0 100644 (file)
--- a/modules/ferm/manifests/real.pp
+++ b/modules/ferm/manifests/real.pp
@@ -20,24 +20,6 @@ class ferm::real inherits ferm {
                         notify  => Exec["ferm restart"];
         }
 
-        ferm::rule { "dsa-ssh":
-                description     => "Allow SSH from DSA",
-                rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }"
-        }
-        ferm::rule { "dsa-ssh-v6":
-                description     => "Allow SSH from DSA",
-                domain          => "ip6",
-                rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_V6_SOURCES) ACCEPT; }"
-        }
-        ferm::rule { "dsa-munin":
-                description     => "Allow munin from munin master",
-                rule            => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN) ACCEPT; }"
-        }
-        ferm::rule { "dsa-nagios":
-                description     => "Allow nrpe from nagios master",
-                rule            => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS) ACCEPT; }"
-        }
-
         Exec["ferm restart"] {
                 path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
                 refreshonly => true,