Puppet module for tcpwrappers

Javier Bértoli



12,915 latest version

3.9 quality score

Version information

  • 1.0.0 (latest)
released Sep 24th 2013

Start using this module


netmanagers/tcpwrappers — version 1.0.0 Sep 24th 2013

Puppet module: tcpwrappers

This is a Puppet module for tcpwrappers

It provides only package installation and file configuration (hosts.allow / hosts.deny).

Based on

Official site:

Official git repository:

Released under the terms of Apache 2 License.

USAGE - Basic management

TCP wrappers are installed by default in almost every Linux system around and you'll rarely use this capabilities, but they are provided by every Example42 module, so they are available here too. I just removed the "harmful" ones, like the possibility to remove the package.

  • Install tcpwrappers with default settings

      class { 'tcpwrappers': }
  • Managing entries in /etc/hosts.allow and /etc/hosts.deny.

    Parameters daemon defaults to ALL and client defaults to $title if not specified.

      # Simple client specification
      tcpwrappers::allow { '': }


      tcpwrappers::allow { foo:
        daemon => "ALL",
        client => "";

    are equivalent, and add an entry


    into /etc/hosts.allow

      # With an exception specification
      tcpwrappers::allow { foo:
        daemon => "daemon",
        client => "ALL",
        except => "/etc/";

    Adds an entry

      daemon: ALL EXCEPT "/etc/"

tcpwrappers::deny accepts the same parameters

The following parameters are available:

  • ensure: Whether the entry should be "present" or "absent".

  • daemon: The identifier supplied to libwrap by the daemon, often just the process name.

  • client: The client specification to be added.

  • except (optional): Another client specification, acting as a filter for the first client specifiction.

    The $client and $except parameters must have one of the following forms:

      Domain suffix:
      IP address:
      IP prefix:     192. 192.0. 192.0.2.
      IP range:
      Filename:      /path/to/file.acl
      Keyword:       ALL LOCAL PARANOID

    The client specification will be normalized before being matched against or added to the existing entries in hosts.allow/hosts.deny.

  • Install a specific version of tcpwrappers package

      class { 'tcpwrappers':
        version => '1.0.1',
  • Enable auditing without without making changes on existing tcpwrappers configuration files

      class { 'tcpwrappers':
        audit_only => true
  • Module dry-run: Do not make any change on all the resources provided by the module

      class { 'tcpwrappers':
        noops => true

USAGE - Overrides and Customizations

  • Use custom sources for main config file

      class { 'tcpwrappers':
        allow_source => [ "puppet:///modules/netmanagers/tcpwrappers/hosts_allow-${hostname}" ,
                          "puppet:///modules/netmanagers/tcpwrappers/hosts_allow.conf" ], 
        deny_source  => [ "puppet:///modules/netmanagers/tcpwrappers/hosts_deny-${hostname}" ,
                          "puppet:///modules/netmanagers/tcpwrappers/hosts_allow.conf" ], 
  • Use custom template for main config file. Note that template and source arguments are alternative.

      class { 'tcpwrappers':
        allow_template => 'netmanagers/tcpwrappers/hosts_allow.erb',

    and provide custom values using the "$options" parameter.

  • Automatically include a custom subclass

      class { 'tcpwrappers':
        my_class => 'netmanagers::my_tcpwrappers',


Build Status