Forge Home


Firewall rules for Puppet Application Manager


407 latest version

5.0 quality score

Version information

  • 1.0.0 (latest)
released Aug 30th 2021
This version is compatible with:
  • Puppet Enterprise 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 8.0.0
  • RedHat

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-pam_firewall', '1.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-pam_firewall
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-pam_firewall --version 1.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



puppetlabs/pam_firewall — version 1.0.0 Aug 30th 2021


Configures firewall rules using the firewall module for Puppet Application Manager.


This module configures firewall rules using the firewall module for Puppet Application Manager (PAM) installed on Puppet-supported Kubernetes.

The preserve-iptables-config option should be supplied while installing PAM to leave the iptables service enabled, as in bash -s preserve-iptables-config. The PAM installation must be run after applying this module to ensure Kubernetes firewall rules are registered with the iptables service.

It specifically avoids purging foreign rules and chains created by Kubernetes. It also exposes ports to cluster members that need access (currently treats primary and secondary nodes identically) and exposes application ports globally.


The module declares a single class that can be applied to your cluster members.

The defaults work for a Standalone install

include ::firewall
include ::pam_firewall

An example is provided that demonstrates using this while locking down most other inbound access. You can run it with Bolt

bolt module install
bolt apply examples/init.pp --run-as root --targets $target

HA cluster

If installing an HA cluster, you'll need to provide cluster_nodes for all members to enable intra-cluster communication

include ::firewall
class {'::pam_firewall':
    cluster_nodes => ['', '', ''],

Application ports

You can also override app_ports to be more restrictive if not using all ports. For example, port 9001 is only used by CD4PE in an offline install, and port 8000 is only used by CD4PE for webhooks

include ::firewall
class {'::pam_firewall':
    app_ports => [443],


If you need to override pod and/or service subnets for a PAM install, you'll also need to provide those here

include ::firewall
class {'::pam_firewall':
    pod_subnet     => '',
    service_subnet => '',

Managing common firewall chains

If you manage common firewall chains explicitly and purge unknown rules, such as

firewallchain {'OUTPUT:filter:IPv4']:
    policy => 'drop',
    purge  => true,

you'll need to disable this module's management of those chains and ignore foreign rules to avoid deleting rules created by Kubernetes

include ::firewall
class {'::pam_firewall':
    manage_common_chains => false,

firewallchain {'OUTPUT:filter:IPv4']:
    policy         => 'drop',
    purge          => true,
    ignore_foreign => true