Forge Home

firewall

Manages Firewalls such as iptables

10,504,998 downloads

540 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 8.0.1 (latest)
  • 8.0.0
  • 7.0.2
  • 7.0.1
  • 7.0.0
  • 6.0.0
  • 5.0.0
  • 4.1.0
  • 4.0.1
  • 4.0.0
  • 3.6.0
  • 3.5.0
  • 3.4.0
  • 3.3.0
  • 3.2.0
  • 3.1.0
  • 3.0.2
  • 3.0.1
  • 3.0.0
  • 2.8.1
  • 2.8.0
  • 2.7.0
  • 2.6.0
  • 2.5.0
  • 2.4.0
  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0
  • 1.15.3
  • 1.15.2
  • 1.15.1
  • 1.15.0
  • 1.14.0
  • 1.13.0
  • 1.12.0
  • 1.11.0
  • 1.10.0
  • 1.9.0
  • 1.8.2
  • 1.8.1
  • 1.8.0
  • 1.7.2
  • 1.7.1
  • 1.7.0
  • 1.6.0
  • 1.5.0
  • 1.4.0
  • 1.3.0
  • 1.2.0
  • 1.1.3
  • 1.1.2
  • 1.1.1
  • 1.1.0
  • 1.0.2
  • 1.0.1
  • 1.0.0 (deleted)
  • 0.5.0 (deleted)
  • 0.4.2
  • 0.4.1
  • 0.4.0
  • 0.3.1
  • 0.3.0
  • 0.2.1
  • 0.2.0
  • 0.1.1
  • 0.1.0
  • 0.0.4
  • 0.0.3
  • 0.0.2
  • 0.0.1
released Mar 20th 2024
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-firewall', '8.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-firewall
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-firewall --version 8.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppetlabs/firewall — version 8.0.1 Mar 20th 2024

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

v8.0.1 - 2024-03-20

Full Changelog

Fixed

Other

v8.0.0 - 2024-02-08

Full Changelog

Changed

Fixed

  • (GH-1164) Only common jump values should be enforced as upcase #1165 (david22swan)

v7.0.2 - 2023-09-14

Full Changelog

Fixed

  • (GH-1158) Fix for dport/sport/state/ctstate/ctstatus comparisons #1160 (david22swan)

v7.0.1 - 2023-09-14

Full Changelog

Fixed

v7.0.0 - 2023-09-13

Full Changelog

Changed

Fixed

v6.0.0 - 2023-07-25

Full Changelog

Changed

Added

Fixed

v5.0.0 - 2023-03-31

Full Changelog

Changed

  • (Cont 779) Add Support for Puppet 8 / Drop Support for Puppet 6 #1118 (david22swan)

v4.1.0 - 2023-03-31

Full Changelog

Added

Fixed

v4.0.1 - 2022-12-07

Full Changelog

Fixed

v4.0.0 - 2022-11-22

Full Changelog

Changed

Added

  • add support for using rpfilter in rules #1059 (cmusik)

Fixed

v3.6.0 - 2022-10-03

Full Changelog

Added

Fixed

v3.5.0 - 2022-05-17

Full Changelog

Added

  • CentOS Stream 9 Support (should include RHEL9 when that releases) #1028 (tskirvin)

Fixed

v3.4.0 - 2022-02-28

Full Changelog

Added

Fixed

v3.3.0 - 2021-12-15

Full Changelog

Added

Fixed

  • Bugfix MODULES-11203: error on second apply when uid or gid is specified as a range #1019 (cmd-ntrf)
  • Fedora 34 and iptables-compat fix; properly utilising iptables param. #1018 (adamboutcher)
  • pdksync - (IAC-1598) - Remove Support for Debian 8 #1015 (david22swan)
  • Add carp protocol to :proto property #1014 (adrianiurca)
  • (MODULES-6876) lib/puppet/provider/firewall/iptables.rb - comments cleanup for parsing #981 (tskirvin)

v3.2.0 - 2021-09-06

Full Changelog

Added

Fixed

  • Fix "undefined method `gsub' for nil:NilClass" when changing existing rule UID from absent to any present #1010 (onyxmaster)

v3.1.0 - 2021-07-26

Full Changelog

Added

Fixed

  • (MODULES-11138) - Fix mac_source Facter.fact().value() issue with Facter 3 #1002 (adrianiurca)

v3.0.2 - 2021-07-19

Full Changelog

Fixed

v3.0.1 - 2021-06-21

Full Changelog

Fixed

v3.0.0 - 2021-03-01

Full Changelog

Changed

v2.8.1 - 2021-02-09

Full Changelog

Fixed

  • [MODULES-10907] Do not remove spaces from hex string with ! #967 (adrianiurca)

v2.8.0 - 2020-12-14

Full Changelog

Added

Fixed

v2.7.0 - 2020-10-15

Full Changelog

Added

  • (IAC-1190) add ignore_foreign when purging firewallchains #948 (DavidS)

v2.6.0 - 2020-10-05

Full Changelog

Added

  • pdksync - (IAC-973) - Update travis/appveyor to run on new default branch main #933 (david22swan)

Fixed

v2.5.0 - 2020-07-28

Full Changelog

Added

v2.4.0 - 2020-05-13

Full Changelog

Added

Fixed

  • (MODULES-8543) Remove nftables' backend warning from iptables_save outtput #911 (NITEMAN)

v2.3.0 - 2020-03-26

Full Changelog

Added

  • Add iptables --hex-string support to firewall resource #907 (alexconrey)
  • Add random_fully and rpfilter support #892 (treydock)
  • (MODULES-7800) Add the ability to specify iptables connection tracking helpers. #890 (jimmyt86)
  • Support conntrack module #872 (haught)

Fixed

v2.2.0 - 2019-12-09

Full Changelog

Added

Fixed

  • Change - Avoid puppet failures on windows nodes #874 (blackknight36)
  • Fix parsing iptables rules with hyphen in comments #861 (Hexta)

v2.1.0 - 2019-09-25

Full Changelog

Added

  • (MODULES-6136) Add zone property of CT target. #852 (rwf14f)
  • (FM-8025) Add RedHat 8 support #847 (eimlav)

Fixed

  • MODULES-9801 - fix negated physdev #858 (lionce)

v2.0.0 - 2019-05-15

Full Changelog

Changed

Added

Fixed

1.15.3 - 2019-04-05

Full Changelog

Fixed

  • (MODULES-8855) Move ipvs test to exception spec #834 (eimlav)
  • (MODULES-8842) Fix ipvs not idempotent #833 (eimlav)

1.15.2 - 2019-03-26

Full Changelog

Fixed

1.15.1 - 2019-02-01

Full Changelog

Fixed

1.15.0 - 2019-01-18

Full Changelog

Added

Fixed

  • pdksync - (FM-7655) Fix rubygems-update for ruby < 2.3 #801 (tphoney)
  • (MODULES-6340) - Address failure when name begins with 9XXX #796 (eimlav)
  • Amazon linux 2 changed its major version to 2 with the last update... #793 (erik-frontify)

1.14.0 - 2018-09-27

Full Changelog

Added

  • pdksync - (MODULES-6805) metadata.json shows support for puppet 6 #782 (tphoney)
  • (FM-7399) - Prepare for changelog generator #780 (pmcmaw)

1.13.0 - 2018-09-19

Full Changelog

Added

Fixed

1.12.0 - 2018-01-25

Full Changelog

Fixed

  • MODULES-6261: Fix error parsing rules with dashes in the chain name #744 (hantona)
  • (MODULES-6092) Set correct seluser for CentOS/RHEL 5.x #737 (mihall-primus)

1.11.0 - 2017-11-30

Full Changelog

Fixed

  • (MODULES-6029) Skip unparsable rules with warning #738 (jistr)

1.10.0 - 2017-11-14

Full Changelog

Changed

  • (MODULES-5501) - Remove unsupported Ubuntu #715 (pmcmaw)
  • (Modules-1141) No longer accepts an array for icmp types #puppethack #705 (spynappels)

Added

Fixed

  • [MODULES-5924] Fix unmanaged rule regex when updating a iptable. #729 (sathlan)
  • (MODULES-5692) Match more than a single space #727 (hunner)
  • (MODULES-5645) Choose correct IP version for hostname resolution #721 (kpengboy)
  • allow ip6tables to be disabled #694 (knackaron)
  • (MODULES-4200) Add simple sanity check for the rule to hash parser #666 (comel)

Other

1.9.0 - 2017-05-19

Full Changelog

Added

Fixed

  • (maint) modify to account for spaces in iptables-save output #700 (eputnam)
  • Change - Ensure that firewalld is stopped before iptables starts #695 (blackknight36)
  • Properly handle negated --physdev-is-... rules #693 (mhutter)
  • MODULES-4279 use complete option for geoip #690 (jg-development)

1.8.2 - 2017-01-10

Full Changelog

Added

  • Add RHEL7 SELinux support for new service_name_v6 param, subsequently fix puppet lint error #671 (wilson208)
  • [#puppethack] MODULES-1222 - added containment #667 (genebean)
  • Add --wait to iptables commands #647 (mwhahaha)

Fixed

  • Fixes SELinux compatibility with EL6 #664 (bmjen)
  • Re-add RHEL7 SELinux support for puppet3 #660 (bmjen)
  • Fixing issue with double quotes being removed when part of the comment #646 (kindred)
  • Implemented paramters for NFQUEUE jump target #644 (pid1co)
  • (MODULES-3572) Ip6tables service is not managed in the redhat family. #641 (marcofl)

1.8.1 - 2016-05-17

Full Changelog

Changed

Added

  • (Modules 3329) Add support for iptables length and string extensions #630 (shumbert)
  • Add VirtuozzoLinux to the RedHat family #617 (jpnc)
  • support for multiple ipsets in a rule #615 (nabam)
  • Add 'ip' and 'pim' to proto #610 (lunkwill42)

Fixed

1.8.0 - 2016-02-17

Full Changelog

Added

Fixed

  • Made Facter flushing specific to a single fact. #604 (jonnytdevops)
  • (MODULES 3932) - We need to call Facter.flush to clear Facter cache #603 (jonnytdevops)
  • (MODULES-2159) ignore the --connlimit-saddr switch when parsing rules #602 (paulseward)
  • Adding in log_uid boolean for LOG #593 (mlosapio)
  • (MODULES-2836) Fix handling of chains that contain '-f' #579 (maxvozeler)
  • (MODULES-2783) Missing ip6tables service name #578 (abednarik)

1.7.2 - 2015-12-07

Full Changelog

Added

  • Add: sctp-protocol to "proto"-Parameter #589 (DavidS)
  • MODULES-2769 - Add security table for iptables. #575 (werekraken)

Fixed

  • (MODULES-1341) Recover when deleting absent rules #577 (reidmv)
  • (MAINT) RedHat 6 also uses unconfined_t #574 (DavidS)
  • MODULES-2487 Improve port deprecation warning #572 (roman-mueller)

1.7.1 - 2015-08-24

Full Changelog

Changed

Fixed

1.7.0 - 2015-07-27

Full Changelog

Added

Fixed

  • Makes all the services autorequired by the firewall and firewallchain types. #556 (jonnytdevops)
  • MODULES-2186 - iptables rules with -A in comment #555 (TJM)
  • Fix for physdev idempotency on EL5 #551 (jonnytdevops)
  • Fix addrtype inversion #543 (jonnytdevops)
  • (MODULES-1976) Revise rule name validation for ruby 1.9 #517 (karmix)
  • (MODULES-1967) Parse escape sequences from iptables #513 (karmix)

1.6.0 - 2015-05-19

Full Changelog

Added

Fixed

1.5.0 - 2015-03-31

Full Changelog

Added

  • MODULES-1832 - add Gentoo support #498 (derdanne)
  • MODULES-1636: Add --checksum-fill support. #460 (Zlo)

Fixed

  • MODULES-1808 - Implemented code for resource map munging to allow a single ipt module to be used multiple times in a single rule #496 (jonnytdevops)
  • Added code for physdev_is_bridged #491 (jonnytdevops)

1.4.0 - 2015-01-27

Full Changelog

Added

Fixed

1.3.0 - 2014-12-16

Full Changelog

Added

Fixed

1.2.0 - 2014-11-04

Full Changelog

Changed

Added

  • Update to support PE3.x #420 (underscorgan)
  • Support netfilter-persistent for later versions #403 (rra)
  • (MODULES-450) Enable rule inversion #394 (hunner)
  • Add cbt protocol, to be able to mitigate some DDoS attacks #388 (thias)
  • add ipset support #383 (vzctl)
  • Add support for mac address source rules pt2 #337 (damjanek)

Fixed

  • ip6tables isn't supported on EL5 #428 (underscorgan)
  • Fixed firewalld package issue #426 (paramite)
  • (MODULES-41) Change source for ip6tables provider #422 (hunner)
  • (MODULES-1086) toports is not reqired with jump == REDIRECT #407 (hunner)
  • Bugfix stat_prob -> stat_probability #402 (hunner)
  • Improve support for EL7 and other related fixes #393 (hunner)
  • Fixed bug which arbitrarily limited iniface and outiface parameters #374 (lejonet)

1.1.3 - 2014-07-14

Full Changelog

1.1.2 - 2014-06-05

Full Changelog

Fixed

  • (MODULES-796) Fix policy ipsec options #363 (hunner)

1.1.1 - 2014-05-16

Full Changelog

1.1.0 - 2014-05-13

Full Changelog

Changed

Added

  • (MODULES-689) Add support for connlimit and connmark #344 (csschwe)

Fixed

1.0.2 - 2014-03-04

Full Changelog

Fixed

  • Replace the symlink with the actual file to resolve a PMT issue. #331 (apenney)

1.0.1 - 2014-03-03

Full Changelog

Fixed

  • Change OEL limitation description #326 (hunner)
  • Socket owner sles madness #324 (apenney)
  • Fix logic for supported socket platforms #322 (hunner)
  • Bugfix: Account for rules sorted after unmanaged rules #321 (hunner)
  • Fix various differences for rhel5 #314 (hunner)
  • Use iptables-save and parse the output #311 (hunner)

1.0.0 - 2014-02-11

Full Changelog

0.5.0 - 2014-02-10

Full Changelog

Added

Fixed

  • Fix for #286 for pre-existing rules at the start of a chain #303 (hunner)
  • Fix #300 for match extension protocol #302 (hunner)
  • (MODULES-451) Match extension protocol for multiport #300 (hunner)
  • (MODULES-16) Correct src_range dst_range ordering #293 (hunner)
  • (MODULES-442) Correct boolean properties behavior #291 (hunner)
  • (MODULES-441) Helpfully fail when modifying chains #288 (hunner)
  • (MODULES-439) Work around existing rules #286 (hunner)
  • fix handling of builtin chains #271 (phemmer)
  • Remove redundant include call in system spec helper. #253 (stefanozanella)
  • Generate parser list #248 (senax)
  • No firewallchain autorequire for INPUT, OUTPUT and FORWARD when table is :filter to enable DROP policy without blocking #240 (doc75)

0.4.2 - 2013-09-10

Full Changelog

0.4.1 - 2013-08-12

Full Changelog

0.4.0 - 2013-07-12

Full Changelog

Added

  • Feature/master/add support for iprange #219 (hunner)

list - 2013-07-09

Full Changelog

Added

Fixed

  • Update providers to use expect syntax #217 (hunner)
  • Fix #188: -f in comment leads to puppet resource firewall failing. #204 (georgkoester)

0.3.1 - 2013-06-10

Full Changelog

Fixed

  • Ensure all services have 'hasstatus => true' for Puppet 2.6 #197 (kbarber)
  • Accept pre-existing rule with invalid name #192 (joejulian)
  • Swap log_prefix and log_level order to match the way it's saved #191 (joejulian)
  • (#20912) Split argments while maintaining quoted strings #189 (joejulian)

0.3.0 - 2013-04-25

Full Changelog

Added

  • (#171) Added ensure parameter to firewall class #172 (cr3)
  • (20096) Support systemd on Fedora 15 and up #145 (ecbypi)

Fixed

0.2.1 - 2013-03-13

Full Changelog

0.2.0 - 2013-03-03

Full Changelog

Added

  • (GH-134) Autorequire iptables related packages #136 (dcarley)

Fixed

0.1.1 - 2013-02-28

Full Changelog

0.1.0 - 2013-02-24

Full Changelog

Added

  • (#15556) Support for ICMP6 type code resolutions #87 (dcarley)
  • (#15038) add gre protocol to list of acceptable protocols #85 (jasonhancock)
  • Ticket/11305 support vlan interface #70 (kbarber)
  • Ticket/10162 firewallchain support for merge #62 (kbarber)

Fixed

  • Mock Resolv.getaddress in #host_to_ip #110 (dcarley)
  • ip6tables provider allways execute /sbin/iptables command #105 (wuwx)
  • (#10322) Insert order hash included chains from different tables #89 (kbarber)
  • (#10274) Nullify addresses with zero prefixlen #80 (dcarley)
  • Ticket/10619 unable to purge rules #69 (kbarber)
  • (#13201) Firewall autorequire Firewallchains #67 (dcarley)
  • (#13192) Fix allvalidchain iteration #63 (kbarber)
  • Improved Puppet DSL style as per the guidelines. #61 (adamgibbins)
  • (#10164) Reject and document icmp => "any" #60 (dcarley)
  • (#11443) simple fix of the error message for allowed values of the jump property #50 (grooverdan)

v0.0.4 - 2011-12-05

Full Changelog

Added

v0.0.3 - 2011-11-12

Full Changelog

Fixed

  • (#10700) allow additional characters in comment string #30 (saysjonathan)

v0.0.2 - 2011-10-26

Full Changelog

Added

  • (#9362) Create action property and perform transformation for accept, dro #15 (kbarber)

Fixed

  • (#10295) Work around bug #4248 whereby the puppet/util paths are not bein #22 (kbarber)
  • (#10002) Change to dport and sport to handle ranges, and fix handling of #21 (kbarber)

v0.0.1 - 2011-10-18

Full Changelog