Forge Home


Firewall rules for Puppet Application Manager


206 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.4 (latest)
  • 1.0.3
  • 1.0.2
  • 1.0.0
released Aug 8th 2023
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 8.0.0
  • , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-pam_firewall', '1.0.4'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-pam_firewall
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-pam_firewall --version 1.0.4

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



puppetlabs/pam_firewall — version 1.0.4 Aug 8th 2023


Configures firewall rules using the firewall module for Puppet Application Manager.


This module configures firewall rules using the firewall module for Puppet Application Manager (PAM) installed on Puppet-supported Kubernetes.

The preserve-iptables-config option should be supplied while installing PAM to leave the iptables service enabled, as in bash -s preserve-iptables-config. The PAM installation must be run after applying this module to ensure Kubernetes firewall rules are registered with the iptables service.

It specifically avoids purging foreign rules and chains created by Kubernetes. It also exposes ports to cluster members that need access (currently treats primary and secondary nodes identically) and exposes application ports globally.


The module declares a single class that can be applied to your cluster members.

The defaults work for a Standalone install

include ::firewall
include ::pam_firewall

An example is provided that demonstrates using this while locking down most other inbound access. You can run it with Bolt

bolt module install
bolt apply examples/init.pp --run-as root --targets $target

Note that this module ensures firewall rules created by Kubernetes remain if purging unknown rules in firewall chains and unknown firewall chains with

Firewallchain {
    purge => true,
resources { 'firewallchain':
    purge => true,

but not if purging all unknown firewall rules with

resources { 'firewall':
    purge => true,

HA cluster

If installing an HA cluster, you'll need to provide cluster_nodes for all members to enable intra-cluster communication

include ::firewall
class {'::pam_firewall':
    cluster_nodes => ['', '', ''],

Application ports

You can also override app_ports to be more restrictive if not using all ports. For example, port 9001 is only used by CD4PE in an offline install, and port 8000 is only used by CD4PE for webhooks

include ::firewall
class {'::pam_firewall':
    app_ports => [443],


If you need to override pod and/or service subnets for a PAM install, you'll also need to provide those here

include ::firewall
class {'::pam_firewall':
    pod_subnet     => '',
    service_subnet => '',

Managing common firewall chains

If you manage common firewall chains explicitly and purge unknown rules, such as

firewallchain {'OUTPUT:filter:IPv4']:
    policy => 'drop',
    purge  => true,

you'll need to disable this module's management of those chains and ignore foreign rules to avoid deleting rules created by Kubernetes

include ::firewall
class {'::pam_firewall':
    manage_common_chains => false,

firewallchain {'OUTPUT:filter:IPv4']:
    policy         => 'drop',
    purge          => true,
    ignore_foreign => true