Forge Home


Unified Firewall management for Windows, Linux, Mac OS/X


11,555 latest version

4.9 quality score

Version information

  • 0.1.1 (latest)
  • 0.1.0
released Dec 18th 2014
This version is compatible with:

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'gildas-firewall', '0.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add gildas-firewall
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install gildas-firewall --version 0.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



gildas/firewall — version 0.1.1 Dec 18th 2014


Firewall management for Windows, Linux, and OS/X

Note: At the moment, only Windows (7, 2008R2, 8, 8.1, 2012R2) is implemented.


Unified types and rules to manage firewall.


Via puppet module:

$ puppet module install gildas-firewall

Via librarian-puppet or r10k, by adding the following line to your Puppetfile:

mod 'gildas/firewall'


Load the base class:

include firewall

By default, firewall resources that are declared in hiera will be automatically loaded and created. If you do not want this behavior, configure the base class as follows:

class {'firewall':
  hiera_loader => false

Configuring the firewall

To configure firewall rules, simply instanciate resources in you manifests, e.g.:

  firewall::rule { 'SQLServer':
    rule        => 'SQLServer-Instance-In-TCP',
    ensure      => enabled,
    create      => true,
    display     => 'SQLServer Instance (TCP-In)',
    description => 'Inbound Rule to access the SQLServer instance [TCP 1433]',
    action      => 'Allow',
    direction   => 'Inbound',
    protocol    => 'TCP',
    local_port  => 1433,

This resource creates a rule (as needed) to allow incoming SQL Server communication.

If a rule should already exist in Windows and just be enabled or disabled, you can do the following:

  firewall::rule { 'WinRM':
    rule   => 'WINRM-HTTP-In-TCP-NoScope',
    ensure => enabled,

Note: It is not possible to delete rules yet.

Similarly, it is possible to enable firewall groups:

  firewall::group { 'File and Printer Sharing':
    group  => '@FirewallAPI.dll,-28502',
    ensure => enabled,

Note: It is not possible to create/delete groups yet.

Finally, managing firewall profiles:

  firewall::profile { "Private":
    profile => "Private",
    ensure  => enabled,

Hiera configuration

If you use hiera, the puppet class firewall will search for firewall entries and create resources. At the moment, the following firewall entries are available:

  • firewall::profiles
  • firewall::groups
  • firewall::rules

For example, to configure the Remote Desktop group in Windows, add the following to you hiera database:


  "firewall::groups": {
    "Remote Desktop":
      "group":  "@FirewallAPI.dll,-28752",
      "ensure": "enabled"


Or to accept WinRM connections over HTTP on Windows 8/8.1:


  "firewall::rules": {
      "rule": "WINRM-HTTP-In-TCP-NoScope",
      "ensure": "enabled"