Moving from puppet-iptables to puppet-firewall

by actionjack on February 3, 2012 | 3 comments

After months of procrastination I finally migrated from puppet-iptables to puppet-firewall and I’m so glad that I did!

I’m beginning to see what Ken Barber (@ken_barber) was hinting at when he told me at the last EU Devops Days conference that configuring linux firewalls was just tip of the iceberg, I can now see the path of it being used to configure Cisco and Juniper based firewalls eventually.

To get the puppet-firewall module working for me out of the box I had to add the following to my site.pp

exec { 'clear-firewall':
  command => '/sbin/iptables -F',

  refreshonly => true,

exec { 'persist-firewall':

  command => '/sbin/iptables-save >/etc/sysconfig/iptables',

  refreshonly => true,


Firewall {

  subscribe => Exec['clear-firewall'],

  notify => Exec['persist-firewall'],


After that I configured a base firewall module e.g.

class basefirewall {

resources { 'firewall':

    purge => true,


firewall { "001 accept all icmp requests":

    proto => 'icmp',

    action  => accept,


firewall { '002 INPUT allow loopback':

    iniface => 'lo',

    chain   => 'INPUT',

    action    => accept,


firewall { '000 INPUT allow related and established':

    state => ['RELATED', 'ESTABLISHED'],

    action  => accept,

    proto => 'all',




Top Marks for this module!



yea it works nice. I prefer puppet-iptables though

by Alston Fernandez on May 6, 2012 at 3:27 am. Reply #

Do you also use ip6tables with that module? Would be interesting how you implemented that…

by mike on May 9, 2012 at 12:20 pm. Reply #

Hi Mike,

Sorry I haven’t implemented ipv6 but that’s probably something I’ll try in the future.

Watch this space!

by actionjack on May 9, 2012 at 12:50 pm. Reply #

Leave your comment


Required. Not published.

If you have one.