I have this working in our environment as a module, which I will attempt to describe.
module: casfirewall init.pp class casfirewall { include casfirewall::default, casfirewall::fwpre, casfirewall::fwpost file {"/etc/iptables": ensure => "directory", owner => "root", group => "root", mode => 700, } # Always persist firewall rules exec { "persist-firewall": command => $operatingsystem ? { "debian" => "/sbin/iptables-save > /etc/iptables/rules.v4", /(RedHat|CentOS)/ => "/sbin/iptables-save > /etc/sysconfig/iptables", }, refreshonly => true, require => File["/etc/iptables"], } Firewall { notify => Exec["persist-firewall"], before => Class["casfirewall::fwpost"], require => Class["casfirewall::fwpre"], } # Setup firewall resource resources { "firewall": purge => true } } As you can see, this holds the meat and potatoes by including the Firewall notify, before, and require bits. The fwpre class contains the initial firewall settings (abbreviated here) class casfirewall::fwpre { Firewall { require => undef, } firewall { "000 allow outbound": proto => "all", chain => "OUTPUT", action => accept, }... The fwpost class contains the drop everything else rule. Because of the before ordering in init.pp this rule gets applied last (and was the reason for starting this thread in the first place) class casfirewall::fwpost { firewall {"999 drop all": proto => "all", action => drop, before => undef, } } In our init.pp we also have defined a default class. This contains all the rules to open ports to our monitoring servers or backup servers. These get applied after the initial pre class, and before the post as you would expect. I hope that helps. The suggestions given in this thread about firewall ordering very much helped us. I look forward to seeing the firewall module get another release and more user uptake. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/-B3-kjpoFvYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.