Forge Home


Puppet module for managing tcpwrappers with Augeas


8,600 latest version

4.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.3.0 (latest)
  • 1.2.2
  • 1.2.1
  • 1.1.0
released Jun 21st 2021
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
  • Puppet >= 6.0.0 < 8.0.0
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'MiamiOH-tcpwrappers', '1.3.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add MiamiOH-tcpwrappers
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install MiamiOH-tcpwrappers --version 1.3.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



MiamiOH/tcpwrappers — version 1.3.0 Jun 21st 2021


Build Status Puppet Forge Puppet Forge Downloads Puppet Forge Score

Formerly: netmanagers/puppet-tcpwrappers

Getting started

This is a Puppet module for tcpwrappers

It provides only package installation and file configuration (hosts.allow / hosts.deny).

Based on:

Official site:

USAGE - Basic management

TCP wrappers are installed by default in almost every Linux system around and you'll rarely use this capabilities, but they are provided by every Example42 module, so they are available here too. I just removed the "harmful" ones, like the possibility to remove the package.

  • Install tcpwrappers with default settings

      class { 'tcpwrappers': }
  • Managing entries in /etc/hosts.allow and /etc/hosts.deny.

    Parameters daemon defaults to ALL and client defaults to $title if not specified.

      # Simple client specification
      tcpwrappers::allow { '': }


      tcpwrappers::allow { foo:
        daemon => "ALL",
        client => "";

    are equivalent, and add an entry


    into /etc/hosts.allow

      # With an exception specification
      tcpwrappers::allow { foo:
        daemon => "daemon",
        client => "ALL",
        except => "/etc/";

    Adds an entry

      daemon: ALL EXCEPT "/etc/"

tcpwrappers::deny accepts the same parameters

The following parameters are available:

  • ensure: Whether the entry should be "present" or "absent".

  • daemon: The identifier supplied to libwrap by the daemon, often just the process name.

  • client: The client specification to be added.

  • except (optional): Another client specification, acting as a filter for the first client specifiction.

    The $client and $except parameters must have one of the following forms:

      Domain suffix:
      IP address:
      IP prefix:     192. 192.0. 192.0.2.
      IP range:
      Filename:      /path/to/file.acl
      Keyword:       ALL LOCAL PARANOID

    The client specification will be normalized before being matched against or added to the existing entries in hosts.allow/hosts.deny.

  • Install a specific version of tcpwrappers package

      class { 'tcpwrappers':
        version => '1.0.1',
  • Enable auditing without without making changes on existing tcpwrappers configuration files

      class { 'tcpwrappers':
        audit_only => true
  • Module dry-run: Do not make any change on all the resources provided by the module

      class { 'tcpwrappers':
        noops => true

USAGE - Overrides and Customizations

  • Use custom sources for main config file

      class { 'tcpwrappers':
        allow_source => [ "puppet:///modules/netmanagers/tcpwrappers/hosts_allow-${hostname}",
                          "puppet:///modules/netmanagers/tcpwrappers/hosts_allow.conf" ],
        deny_source  => [ "puppet:///modules/netmanagers/tcpwrappers/hosts_deny-${hostname}",
                          "puppet:///modules/netmanagers/tcpwrappers/hosts_allow.conf" ],
  • Use custom template for main config file. Note that template and source arguments are alternative.

      class { 'tcpwrappers':
        allow_template => 'netmanagers/tcpwrappers/hosts_allow.erb',

    and provide custom values using the "$options" parameter.

  • Automatically include a custom subclass

      class { 'tcpwrappers':
        my_class => 'netmanagers::my_tcpwrappers',