{"id":15022818,"url":"https://github.com/voxpupuli/puppet-firewalld","last_synced_at":"2026-04-02T01:20:28.499Z","repository":{"id":28100537,"uuid":"31598789","full_name":"voxpupuli/puppet-firewalld","owner":"voxpupuli","description":"Puppet module for managing firewalld","archived":false,"fork":false,"pushed_at":"2026-03-28T12:46:58.000Z","size":817,"stargazers_count":41,"open_issues_count":59,"forks_count":81,"subscribers_count":40,"default_branch":"master","last_synced_at":"2026-03-28T16:03:00.479Z","etag":null,"topics":["centos-puppet-module","firewalld","hacktoberfest","linux-puppet-module","oraclelinux-puppet-module","puppet","puppet-module","redhat-puppet-module","ruby"],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/voxpupuli.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"open_collective":"vox-pupuli","github":"voxpupuli"}},"created_at":"2015-03-03T13:07:02.000Z","updated_at":"2026-03-28T12:47:01.000Z","dependencies_parsed_at":"2024-11-06T08:02:47.324Z","dependency_job_id":"d45d683c-cd43-4d49-84d6-26a1a0c31a94","html_url":"https://github.com/voxpupuli/puppet-firewalld","commit_stats":{"total_commits":464,"total_committers":65,"mean_commits":7.138461538461539,"dds":0.6616379310344828,"last_synced_commit":"9767cbef8ca9581a2449694b14cc9ec76f19a4c4"},"previous_names":["crayfishx/puppet-firewalld"],"tags_count":41,"template":false,"template_full_name":null,"purl":"pkg:github/voxpupuli/puppet-firewalld","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-firewalld","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-firewalld/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-firewalld/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-firewalld/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/voxpupuli","download_url":"https://codeload.github.com/voxpupuli/puppet-firewalld/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-firewalld/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31293768,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T01:05:07.454Z","status":"ssl_error","status_checked_at":"2026-04-02T00:56:46.496Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["centos-puppet-module","firewalld","hacktoberfest","linux-puppet-module","oraclelinux-puppet-module","puppet","puppet-module","redhat-puppet-module","ruby"],"created_at":"2024-09-24T19:58:25.043Z","updated_at":"2026-04-02T01:20:28.483Z","avatar_url":"https://github.com/voxpupuli.png","language":"Ruby","funding_links":["https://opencollective.com/vox-pupuli","https://github.com/sponsors/voxpupuli"],"categories":[],"sub_categories":[],"readme":"# Module: firewalld\n\n[![License](https://img.shields.io/github/license/voxpupuli/puppet-firewalld.svg)](https://github.com/voxpupuli/puppet-firewalld/blob/master/LICENSE)\n[![Build Status](https://github.com/voxpupuli/puppet-firewalld/actions/workflows/ci.yml/badge.svg)](https://github.com/voxpupuli/puppet-firewalld/actions/workflows/ci.yml)\n[![Puppet Forge](https://img.shields.io/puppetforge/v/puppet/firewalld.svg)](https://forge.puppetlabs.com/puppet/firewalld)\n[![Puppet Forge - downloads](https://img.shields.io/puppetforge/dt/puppet/firewalld.svg)](https://forge.puppetlabs.com/puppet/firewalld)\n[![Puppet Forge - endorsement](https://img.shields.io/puppetforge/e/puppet/firewalld.svg)](https://forge.puppetlabs.com/puppet/firewalld)\n[![Puppet Forge - scores](https://img.shields.io/puppetforge/f/puppet/firewalld.svg)](https://forge.puppetlabs.com/puppet/firewalld)\n\n## Description\n\nThis module manages firewalld, the userland interface that replaces\niptables and ships with RHEL7+. The module manages firewalld itself as\nwell as providing types and providers for managing firewalld zones,\npolicies, ports, and rich rules.\n\n## Compatibility\n\nLatest versions of this module are only supported on Puppet\n7.0+.\n\n## Usage\n\n```puppet\nclass { 'firewalld': }\n```\n\n### Parameters\n\n* `package`: Name of the package to install (default firewalld)\n* `package_ensure`: Default 'installed', can be any supported ensure type for\n  the package resource\n* `config_package`: Name of the GUI package, default firewall-config\n* `install_gui`: Whether or not to install the config_package (default: false)\n* `service_ensure`: Whether the service should be running or not (default: running)\n* `service_enable`: Whether to enable the service\n* `default_zone`: Optional, set the default zone for interfaces (default: undef)\n* `firewall_backend`: Optional, set the firewall backend for firewalld (default:\n  undef)\n* `default_service_zone`: Optional, set the default zone for services (default: undef)\n* `default_port_zone`: Optional, set the default zone for ports (default: undef)\n* `default_port_protocol`: Optional, set the default protocol for ports\n  (default: undef)\n* `log_denied`: Optional, (firewalld-0.4.3.2-8+) Log denied packets, can be one\n  of `off`, `all`, `multicast`, `unicast`, `broadcast` (default: undef)\n* `zones`: A hash of [firewalld zones](#firewalld-zones) to configure\n* `policies`: A hash of [firewalld policies](#firewalld-policies) to configure\n* `ports`: A hash of [firewalld ports](#firewalld-ports) to configure\n* `services`: A hash of [firewalld services](#firewalld-service) to configure\n* `rich_rules`: A hash of [firewalld rich rules](#firewalld-rich-rules) to configure\n* `custom_services`: A hash of [firewalld custom\n  services](#firewalld-custom-service) to configure\n* `direct_rules`: A hash of [firewalld direct rules](#firewalld-direct-rules) to\n  configure\n* `direct_chains`: A hash of [firewalld direct chains](#firewalld-direct-chains)\n  to configure\n* `direct_passthroughs`: A hash of [firewalld direct\n  passthroughs](#firewalld-direct-passthroughs) to configure\n* `purge_direct_rules`: True or false, whether to purge [firewalld direct\n  rules](#firewalld-direct-rules)\n* `purge_direct_chains`: True or false, whether to purge [firewalld direct\n  chains](#firewalld-direct-chains)\n* `purge_direct_passthroughs`: True or false, whether to purge [firewalld direct\n  passthroughs](#firewalld-direct-passthroughs)\n\n## Resource Types\n\nThe firewalld module contains types and providers to manage zones,\nservices, ports, and rich rules by interfacing with the `firewall-cmd`\ncommand. The following types are currently supported. Note that all\nzone, service, port, and rule management is done in `--permanent`\nmode, and a complete reload will be triggered anytime something\nchanges.\n\nThis module supports a number of resource types\n\n* [firewalld_zone](#firewalld-zones)\n* [firewalld_policy](#firewalld-policies)\n* [firewalld_port](#firewalld-ports)\n* [firewalld_service](#firewalld-service)\n* [firewalld_ipset](#firewalld-ipsets)\n* [firewalld_rich_rule](#firewalld-rich-rules)\n* [firewalld_direct_chain](#firewalld-direct-chains)\n* [firewalld_direct_rule](#firewalld-direct-rules)\n* [firewalld_direct_passthrough](#firewalld-direct-passthroughs)\n\nNote, it is always recommended to include the `::firewalld` class if\nyou are going to use any of these resources from another Puppet class\n(eg: a profile) as it sets up the relationships between the\n`firewalld` service resource and the exec resource to reload the\nfirewall upon change. Without the `firewalld` class included then the\nfirewall will not be reloaded upon change. The recommended pattern is\nto put all resources into hiera and let the `firewalld` class set them\nup. Examples of both forms are presented for the resource types below.\n\n### Firewalld Zones\n\nFirewalld zones can be managed with the `firewalld_zone` resource type.\n\n_Example in Class_:\n\n```puppet\n  firewalld_zone { 'restricted':\n    ensure           =\u003e present,\n    target           =\u003e '%%REJECT%%',\n    purge_rich_rules =\u003e true,\n    purge_services   =\u003e true,\n    purge_ports      =\u003e true,\n  }\n```\n\n_Example in Hiera_:\n\n```yaml\nfirewalld::zones:\n  restricted:\n    ensure: present\n    target: '%%REJECT%%'\n    purge_rich_rules: true\n    purge_services: true\n    purge_ports: true\n```\n\n#### Parameters (Firewalld Zones)\n\n* `target`: Specify the target of the zone.\n* `interfaces`: An array of interfaces for this zone\n* `sources`: An array of sources for the zone\n* `protocols`: An array of protocols for the zone\n* `icmp_blocks`: An array of ICMP blocks for the zone\n* `masquerade`: If set to `true` or `false` specifies whether or not\n  to add masquerading to the zone\n* `purge_rich_rules`: Optional, and defaulted to false. When true any\n  configured rich rules found in the zone that do not match what is in\n  the Puppet catalog will be purged.\n* `purge_services`: Optional, and defaulted to false. When true any\n  configured services found in the zone that do not match what is in\n  the Puppet catalog will be purged. *Warning:* This includes the\n  default ssh service, if you need SSH to access the box, make sure\n  you add the service through either a rich firewall rule, port, or\n  service (see below) or you will lock yourself out!\n* `purge_ports`: Optional, and defaulted to false. When true any\n  configured ports found in the zone that do not match what is in the\n  Puppet catalog will be purged. *Warning:* As with services, this\n  includes the default ssh port. If you fail to specify the\n  appropriate port, rich rule, or service, you will lock yourself out.\n\n### Firewalld policies\n\nFirewalld policies can be managed with the `firewalld_policy` resource type.\n\n_Example in Class_:\n\n```puppet\n  firewalld_policy { 'anytorestricted':\n    ensure           =\u003e present,\n    target           =\u003e '%%REJECT%%',\n    ingress_zones    =\u003e ['ANY'],\n    egress_zones     =\u003e ['restricted'],\n    purge_rich_rules =\u003e true,\n    purge_services   =\u003e true,\n    purge_ports      =\u003e true,\n  }\n```\n\n_Example in Hiera_:\n\n```yaml\nfirewalld::policies:\n  anytorestricted:\n    ensure: present\n    target: '%%REJECT%%'\n    ingress_zones:\n      - 'ANY'\n    egress_zones:\n      - 'restricted'\n    purge_rich_rules: true\n    purge_services: true\n    purge_ports: true\n```\n\n#### Parameters (Firewalld policies)\n\n* `target`: Specify the target of the policy.\n* `ingress_zones`: An array of ingress zones for this policy.\n* `egress_zones`: An array of egress zones for this policy.\n* `priority`: A non zero integer specifying the priority of this\n  policy, policies with negative priorities apply before rules in\n  zones, policies with positive priorities, after. Defaults to -1.\n* `icmp_blocks`: An array of ICMP blocks for the policy\n* `masquerade`: If set to `true` or `false` specifies whether or not\n  to add masquerading to the policy\n* `purge_rich_rules`: Optional, and defaulted to false. When true any\n  configured rich rules found in the policy that do not match what is in\n  the Puppet catalog will be purged.\n* `purge_services`: Optional, and defaulted to false. When true any\n  configured services found in the policy that do not match what is in\n  the Puppet catalog will be purged.\n* `purge_ports`: Optional, and defaulted to false. When true any\n  configured ports found in the policy that do not match what is in the\n  Puppet catalog will be purged.\n\n### Firewalld Rich Rules\n\nFirewalld rich rules are managed using the `firewalld_rich_rule`\nresource type\n\nExactly one of the `zone` or `policy` parameters must be given\n\nfirewalld_rich_rules will `autorequire` the firewalld_zone specified\nin the `zone` parameter or the firewalld_policy specified in the\n`policy` parameter so there is no need to add dependencies for this\n\n_Example in Class_:\n\n```puppet\n  firewalld_rich_rule { 'Accept SSH from barny':\n    ensure =\u003e present,\n    zone   =\u003e 'restricted',\n    source =\u003e '192.168.1.2/32',\n    service =\u003e 'ssh',\n    action  =\u003e 'accept',\n  }\n```\n\n_Example in Hiera_:\n\n```yaml\nfirewalld::rich_rules:\n  'Accept SSH from barny':\n    ensure: present\n    zone: restricted\n    source: '192.168.1.2/32'\n    service: 'ssh'\n    action: 'accept'\n```\n\n#### Parameters (Firewalld Rich Rules)\n\n* `zone`: (Optional) Name of the zone this rich rule belongs to\n\n* `policy`: (Optional) Name of the policy this rich rule belongs to\n\n* `family`: Protocol family, defaults to `ipv4`\n\n* `source`: Source address information. This can be a hash containing\n  the keys `address or ipset` and `invert`, or a string containing\n  just the IP address\n\n  ```puppet\n     source =\u003e '192.168.2.1',\n\n     source =\u003e { 'address' =\u003e '192.168.1.1', 'invert' =\u003e true }\n     source =\u003e { 'ipset' =\u003e 'whitelist', 'invert' =\u003e true }\n     source =\u003e { 'ipset' =\u003e 'blacklist' }\n  ```\n\n* `dest`: Destination address information. This can be a hash\n  containing the keys `address or ipset` and `invert`, or a string\n  containing just the IP address\n\n  ```puppet\n     dest =\u003e '192.168.2.1',\n\n     dest =\u003e { 'address' =\u003e '192.168.1.1', 'invert' =\u003e true }\n     dest =\u003e { 'ipset' =\u003e 'whitelist', 'invert' =\u003e true }\n     dest =\u003e { 'ipset' =\u003e 'blacklist' }\n  ```\n\n* `log`: When set to `true` will enable logging, optionally this can\n  be hash with `prefix`, `level` and `limit`\n\n  ```puppet\n     log =\u003e { 'level' =\u003e 'debug', 'prefix' =\u003e 'foo' },\n\n     log =\u003e true,\n  ```\n\n* `audit`: When set to `true` will enable auditing, optionally this\n  can be hash with `limit`\n\n  ```puppet\n     audit =\u003e { 'limit' =\u003e '3/s' },\n\n     audit =\u003e true,\n  ```\n\n* `action`: A string containing the action `accept`, `reject` or\n  `drop`. For `reject` it can be optionally supplied as a hash\n  containing `type`\n\n  ```puppet\n     action =\u003e 'accept'\n\n     action =\u003e { 'action' =\u003e 'reject', 'type' =\u003e 'bad' }\n  ```\n\nThe following paramters are the element of the rich rule, only _one_\nmay be used.\n\n* `service`: Name of the service\n\n* `protocol`: Protocol of the rich rule\n\n* `port`: A hash containing `port` and `protocol` values\n\n  ```puppet\n     port =\u003e {\n       'port' =\u003e 80,\n       'protocol' =\u003e 'tcp',\n     },\n  ```\n\n* `icmp_block`: Specify an `icmp-block` for the rule\n\n* `masquerade`: Set to `true` or `false` to enable masquerading\n\n* `forward_port`: Set forward-port, this should be a hash containing\n  `port`,`protocol`,`to_port`,`to_addr`\n\n  ```puppet\n     forward_port =\u003e {\n       'port' =\u003e '8080',\n       'protocol' =\u003e 'tcp',\n       'to_addr' =\u003e '10.2.1.1',\n       'to_port' =\u003e '8993'\n     },\n  ```\n\n### Firewalld Custom Service\n\nThe `firewalld_custom_service` defined type creates and manages\ncustom services. It makes the service usable by firewalld, but does\nnot add it to any zones. To do that, use the firewalld::service type.\n\n_Example in Class_:\n\n```puppet\n    firewalld_custom_service{'puppet':\n      short       =\u003e 'puppet',\n      description =\u003e 'Puppet Client access Puppet Server',\n      ports       =\u003e [\n        {\n            'port'     =\u003e '8140',\n            'protocol' =\u003e 'tcp',\n        },\n        {\n            'port'     =\u003e '8140',\n            'protocol' =\u003e 'udp',\n        },\n      ],\n      module      =\u003e ['nf_conntrack_netbios_ns'],\n     'ipv4_destination' =\u003e '127.0.0.1',\n     'ipv6_destination' =\u003e '::1'\n    }\n```\n\n_Example in Hiera_:\n\n```yaml\nfirewalld::custom_services:\n  puppet:\n    short: 'puppet'\n    description: 'Puppet Client access Puppet Server'\n    ports:\n      - port: 8140\n        protocol: 'tcp'\n    module: 'nf_conntrack_netbios_ns'\n    ipv4_destination: '127.0.0.1'\n    ipv6_destination: '::1'\n```\n\nThis resource will create the following XML service definition in\n/etc/firewalld/services/XZY.xml\n\n```\n    \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n    \u003cservice\u003e\n      \u003cshort\u003epuppet\u003c/short\u003e\n      \u003cdescription\u003ePuppet Client access Puppet Server\u003c/description\u003e\n      \u003cport protocol=\"tcp\" port=\"8140\" /\u003e\n      \u003cport protocol=\"udp\" port=\"8140\" /\u003e\n      \u003cmodule name=\"nf_conntrack_netbios_ns\"/\u003e\n      \u003cdestination ipv4=\"127.0.0.1\" ipv6=\"::1\"/\u003e\n    \u003c/service\u003e\n```\n\nand you will also see 'puppet' in the service list when you issue\n`firewall-cmd --permanent --get-services`\n\n#### Parameters (Firewalld Custom Service)\n\n* `short`: (namevar) The short name of the service (what you see in\n  the firewalld command line output)\n\n* `description`: (Optional) A short description of the service\n\n* `ports`: (Optional) The protocol / port definitions for this service.\n  Specified as an array of hashes, where each hash defines a protocol\n  and/or port associated with this service. Each hash requires both\n  port and protocol keys, even if the value is an empty string.\n  Specifying a port only works for TCP \u0026 UDP, otherwise leave it empty\n  and the entire protocol will be allowed. Valid protocols are tcp,\n  udp, or any protocol defined in /etc/protocols\n\n  ```puppet\n     ports =\u003e [{'port' =\u003e '1234', 'protocol' =\u003e 'tcp'}],\n\n     ports =\u003e [{'port' =\u003e '4321', 'protocol' =\u003e 'udp'}, {'protocol' =\u003e 'rdp'}],\n  ```\n\nThe `ports` parameter can also take a range of ports separated by a\ncolon or a dash (colons are replaced by dashes), for example:\n\n```puppet\n   ports =\u003e [ {'port' =\u003e '8000:8002', 'protocol' =\u003e 'tcp']} ]\n```\n\nwill produce:\n\n```xml\n    \u003cport protocol=\"tcp\" port=\"8000-8002\" /\u003e\n```\n\n* `protocols`: (Optional) An array of protocols allowed by the service\n  as defined in /etc/protocols.\n\n  ```puppet\n     protocols =\u003e ['ospf'],\n  ```\n\n* `module`: (Optional) An array of strings specifying netfilter kernel\n  helper modules associated with this service\n\n* `ipv4_destination`: (Optional) A string specifying the destination\n  network as a network IP address (optional with /mask), or a plain IP\n  address.\n  The use of hostnames is possible but not recommended,\n  because these will only be resolved at service activation and\n  transmitted to the kernel.\n\n  ```puppet\n     ipv4_destination =\u003e '192.0.2.0/24',\n  ```\n\n* `ipv6_destination`: (Optional) A string specifying the destination\n  network as a network IP address (optional with /mask), or a plain IP\n  address.\n  The use of hostnames is possible but not recommended,\n  because these will only be resolved at service activation and\n  transmitted to the kernel.\n\n  ```puppet\n     ipv4_destination =\u003e '2001:db8::/32',\n  ```\n\n* `config_dir`: The location where the service definition XML files\n  will be stored. Defaults to /etc/firewalld/services\n\n### Firewalld Service\n\nThe `firewalld_service` type is used to add or remove both built in\nand custom services from zones.\n\nExactly one of the `zone` or `policy` parameters must be given.\n\nfirewalld_service will `autorequire` the firewalld_zone specified in\nthe `zone` parameter and the firewalld_custom_service specified in\nthe `service` parameter, so there is no need to add dependencies for\nthis\n\n_Example in Class_:\n\n```puppet\n  firewalld_service { 'Allow SSH from the external zone':\n    ensure  =\u003e 'present',\n    service =\u003e 'ssh',\n    zone    =\u003e 'external',\n  }\n```\n\n_Example in Hiera_:\n\n```yaml\nfirewalld::services:\n  'Allow SSH from the external zone':\n    ensure: present\n    service: ssh\n    zone: external\n  dhcp:\n    ensure: absent\n    service: dhcp\n    zone: public\n  dhcpv6-client:\n    ensure: present\n    service: dhcpv6-client\n    zone: public\n```\n\n#### Parameters (Firewalld Service)\n\n* `service`: Name of the service to manage, defaults to the resource\n  name.\n\n* `zone`: Name of the zone in which you want to manage the service,\n  defaults to parameter `default_service_zone` of class `firewalld` if\n  specified.\n\n* `policy`: Name of the policy in which you want to manage the\n  service. Make sure to set `zone` to `unset` if you use this and have\n  specified `default_service_zone` for class `firewalld`.\n\n* `ensure`: Whether to add (`present`) or remove the service\n  (`absent`), defaults to `present`.\n\n### Firewalld IPsets\n\nFirewalld IPsets (on supported versions of firewalld) can be managed\nusing the `firewalld_ipset` resource type\n\n_Example_:\n\n```puppet\n  firewalld_ipset { 'whitelist':\n    ensure =\u003e present,\n    entries =\u003e [ '192.168.0.1', '192.168.0.2' ]\n  }\n```\n\n_Example in Hiera_:\n\n```yaml\nfirewalld::ipsets:\n  whitelist:\n    entries:\n      - 192.168.0.1\n      - 192.168.0.2\n```\n\n#### Parameters (Firewalld IPsets)\n\n* `entries`: An array of entries for the IPset\n* `type`: Type of ipset (default: `hash:ip`)\n* `options`: A hash of options for the IPset (eg:\n  `{ \"family\" =\u003e \"inet6\"}`)\n\nNote that `type` and `options` are parameters used when creating the\nIPset and are not managed after creation - to change the type or\noptions of an ipset you must delete the existing ipset first.\n\n### Firewalld Ports\n\nFirewalld ports can be managed with the `firewalld_port` resource\ntype.\n\nExactly one of the `zone` or `policy` parameters must be given.\n\nfirewalld_port will `autorequire` the firewalld_zone specified in the\n`zone` parameter so there is no need to add dependencies for this\n\n_Example_:\n\n```puppet\n  firewalld_port { 'Open port 8080 in the public zone':\n    ensure   =\u003e present,\n    zone     =\u003e 'public',\n    port     =\u003e 8080,\n    protocol =\u003e 'tcp',\n  }\n```\n\n_Example in Hiera_:\n\n```yaml\nfirewalld::ports:\n  'Open port 8080 in the public zone':\n    ensure: present\n    zone: public\n    port: 8080\n    protocol: 'tcp'\n```\n\n#### Parameters (Firewalld Ports)\n\n* `zone`: Name of the zone this port belongs to, defaults to parameter\n  `default_port_zone` of class `firewalld` if specified.\n\n* `policy`: Name of the policy this port belongs to. Make sure to set\n  `zone` to `unset` if you use this and have specified\n  `default_port_zone` for class `firewalld`.\n\n* `port`: The port to manage, defaults to the resource name.\n\n* `protocol`: The protocol this port uses, e.g. `tcp` or `udp`,\n  defaults to parameter `default_port_protocol` of class `firewalld`\n  if specified.\n\n* `ensure`: Whether to add (`present`) or remove the service\n  (`absent`), defaults to `present`.\n\n### Firewalld Direct Chains\n\nDirect chains can be managed with the `firewalld_direct_chain` type\n\n#### Example\n\n```puppet\nfirewalld_direct_chain {'Add custom chain LOG_DROPS':\nname           =\u003e 'LOG_DROPS',\nensure         =\u003e present,\ninet_protocol  =\u003e 'ipv4',\ntable          =\u003e 'filter',\n}\n```\n\nThe title can also be mapped to the types namevars using a colon\ndelimited string, so the above can also be represented as\n\n```puppet\nfirewalld_direct_chain { 'ipv4:filter:LOG_DROPS':\n  ensure =\u003e present,\n}\n```\n\n#### Example in hiera\n\n```\nfirewalld::direct_chains:\n  'Add custom chain LOG_DROPS':\n    name: LOG_DROPS\n    ensure: present\n    inet_protocol: ipv4\n    table: filter\n```\n\n#### Parameters (Firewalld Direct Chains)\n\n* `name`: name of the chain, eg `LOG_DROPS`  (namevar)\n* `inet_protocol`: ipv4, ipv6 or eb, defaults to ipv4 (namevar)\n* `table`: The table (eg: filter) to apply the chain (namevar)\n\n### Firewalld Direct Rules\n\nDirect rules can be applied using the `firewalld_direct_rule` type\n\n#### Example (Firewalld Direct Rules)\n\n```puppet\n\n  firewalld_direct_rule {'Allow outgoing SSH connection':\n      ensure         =\u003e 'present',\n      inet_protocol  =\u003e 'ipv4',\n      table          =\u003e 'filter',\n      chain          =\u003e 'OUTPUT',\n      priority       =\u003e 1,\n      args           =\u003e '-p tcp --dport=22 -j ACCEPT',\n  }\n```\n\n#### Example in hiera (Firewalld Direct Rules)\n\n```yaml\nfirewalld::direct_rules:\n  'Allow outgoing SSH connection':\n    ensure: present\n    inet_protocol: ipv4\n    table: filter\n    chain: OUTPUT\n    priority: 1\n    args: '-p tcp --dport=22 -j ACCEPT'\n```\n\n#### Parameters (Firewalld Direct Rules)\n\n* `name`: Resource name in Puppet\n* `ensure`: present or absent\n* `inet_protocol`: ipv4, ipv6 or eb, defaults to ipv4\n* `table`: Table (eg: filter) which to apply the rule\n* `chain`: Chain (eg: OUTPUT) which to apply the rule\n* `priority`: The priority number of the rule (e.g: 0, 1, 2, ... 99)\n* `args`: Any iptables, ip6tables and ebtables command line arguments\n\n### Firewalld Direct Passthroughs\n\nDirect passthroughs can be applied using the `firewalld_direct_passthrough` type\n\n#### Example (Firewalld Direct Passthroughs)\n\n```puppet\n\n  firewalld_direct_passthrough {'Forward traffic from OUTPUT to OUTPUT_filter':\n      ensure         =\u003e 'present',\n      inet_protocol  =\u003e 'ipv4',\n      args           =\u003e '-A OUTPUT -j OUTPUT_filter'\n  }\n```\n\n#### Example in hiera (Firewalld Direct Passthroughs)\n\n```yaml\nfirewalld::direct_passthroughs:\n  'Forward traffic from OUTPUT to OUTPUT_filter':\n    ensure: present\n    inet_protocol: ipv4\n    args: '-A OUTPUT -j OUTPUT_filter'\n```\n\n#### Parameters (Firewalld Direct Passthroushs)\n\n* `name`: Resource name in Puppet\n* `ensure`: present or absent\n* `inet_protocol`: ipv4, ipv6 or eb, defaults to ipv4\n* `args`: Name of the passthroughhrough to add (e.g:\n  -A OUTPUT -j OUTPUT_filter)\n\n## Testing\n\n### Unit Testing\n\nUnit tests can be executed by running the following commands:\n\n* `bundle install`\n* `bundle exec rake spec`\n\n### Acceptance Testing\n\nAcceptance tests are performed using\n[Beaker](https://github.com/puppetlabs/beaker) and require\n[Vagrant](https://vagrantup.com) and\n[VirtualBox](https://www.virtualbox.org) to run successfully.\n\nIt is **HIGHLY RECOMMENDED** that you use the upstream Vagrant package\nand not one from your OS provider.\n\nTo run the acceptance tests:\n\n* `bundle install`\n* `bundle exec rake beaker`\n\nTo leave the Vagrant hosts running on failure for debugging:\n\n* `BEAKER_destroy=onpass bundle exec rake beaker`\n* `cd .vagrant/beaker_vagrant_files/default.yml`\n* `vagrant ssh \u003chost\u003e`\n\n## Author\n\n* Written Initially by Craig Dunn \u003ccraig@craigdunn.org\u003e @crayfishx\n* This module is now maintained by [VoxPupuli](https://voxpupuli.org)\n* Thanks and acknowlegements to [Baloise\n  Group](http://baloise.github.io)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoxpupuli%2Fpuppet-firewalld","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvoxpupuli%2Fpuppet-firewalld","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoxpupuli%2Fpuppet-firewalld/lists"}