Added puppetlabs-firewall (required by puppetlabs-postgresql), updated the other modules.

modules/firewall/manifests/init.pp

@@ -0,0 +1,36 @@
+# = Class: firewall
+#
+# Manages packages and services required by the firewall type/provider.
+#
+# This class includes the appropriate sub-class for your operating system,
+# where supported.
+#
+# == Parameters:
+#
+# [*ensure*]
+#   Ensure parameter passed onto Service[] resources.
+#   Default: running
+#
+class firewall (
+  $ensure = running
+) {
+  case $ensure {
+    /^(running|stopped)$/: {
+      # Do nothing.
+    }
+    default: {
+      fail("${title}: Ensure value '${ensure}' is not supported")
+    }
+  }
+
+  case $::kernel {
+    'Linux': {
+      class { "${title}::linux":
+        ensure => $ensure,
+      }
+    }
+    default: {
+      fail("${title}: Kernel '${::kernel}' is not currently supported")
+    }
+  }
+}

modules/firewall/manifests/linux.pp

@@ -0,0 +1,51 @@
+# = Class: firewall::linux
+#
+# Installs the `iptables` package for Linux operating systems and includes
+# the appropriate sub-class for any distribution specific services and
+# additional packages.
+#
+# == Parameters:
+#
+# [*ensure*]
+#   Ensure parameter passed onto Service[] resources. When `running` the
+#   service will be started on boot, and when `stopped` it will not.
+#   Default: running
+#
+class firewall::linux (
+  $ensure = running
+) {
+  $enable = $ensure ? {
+    running => true,
+    stopped => false,
+  }
+
+  package { 'iptables':
+    ensure => present,
+  }
+
+  case $::operatingsystem {
+    'RedHat', 'CentOS', 'Fedora', 'Scientific', 'SL', 'SLC', 'Ascendos',
+    'CloudLinux', 'PSBM', 'OracleLinux', 'OVS', 'OEL', 'Amazon', 'XenServer': {
+      class { "${title}::redhat":
+        ensure  => $ensure,
+        enable  => $enable,
+        require => Package['iptables'],
+      }
+    }
+    'Debian', 'Ubuntu': {
+      class { "${title}::debian":
+        ensure  => $ensure,
+        enable  => $enable,
+        require => Package['iptables'],
+      }
+    }
+    'Archlinux': {
+      class { "${title}::archlinux":
+        ensure  => $ensure,
+        enable  => $enable,
+        require => Package['iptables'],
+      }
+    }
+    default: {}
+  }
+}

modules/firewall/manifests/linux/archlinux.pp

@@ -0,0 +1,41 @@
+# = Class: firewall::linux::archlinux
+#
+# Manages `iptables` and `ip6tables` services, and creates files used for
+# persistence, on Arch Linux systems.
+#
+# == Parameters:
+#
+# [*ensure*]
+#   Ensure parameter passed onto Service[] resources.
+#   Default: running
+#
+# [*enable*]
+#   Enable parameter passed onto Service[] resources.
+#   Default: true
+#
+class firewall::linux::archlinux (
+  $ensure = 'running',
+  $enable = true
+) {
+  service { 'iptables':
+    ensure    => $ensure,
+    enable    => $enable,
+    hasstatus => true,
+  }
+
+  service { 'ip6tables':
+    ensure    => $ensure,
+    enable    => $enable,
+    hasstatus => true,
+  }
+
+  file { '/etc/iptables/iptables.rules':
+    ensure => present,
+    before => Service['iptables'],
+  }
+
+  file { '/etc/iptables/ip6tables.rules':
+    ensure => present,
+    before => Service['ip6tables'],
+  }
+}

modules/firewall/manifests/linux/debian.pp

@@ -0,0 +1,44 @@
+# = Class: firewall::linux::debian
+#
+# Installs the `iptables-persistent` package for Debian-alike systems. This
+# allows rules to be stored to file and restored on boot.
+#
+# == Parameters:
+#
+# [*ensure*]
+#   Ensure parameter passed onto Service[] resources.
+#   Default: running
+#
+# [*enable*]
+#   Enable parameter passed onto Service[] resources.
+#   Default: true
+#
+class firewall::linux::debian (
+  $ensure = running,
+  $enable = true
+) {
+  package { 'iptables-persistent':
+    ensure => present,
+  }
+
+  if($::operatingsystemrelease =~ /^6\./ and $enable == true
+  and versioncmp($::iptables_persistent_version, '0.5.0') < 0 ) {
+    # This fixes a bug in the iptables-persistent LSB headers in 6.x, without it
+    # we lose idempotency
+    exec { 'iptables-persistent-enable':
+      logoutput => on_failure,
+      command   => '/usr/sbin/update-rc.d iptables-persistent enable',
+      unless    => '/usr/bin/test -f /etc/rcS.d/S*iptables-persistent',
+      require   => Package['iptables-persistent'],
+    }
+  } else {
+    # This isn't a real service/daemon. The start action loads rules, so just
+    # needs to be called on system boot.
+    service { 'iptables-persistent':
+      ensure    => undef,
+      enable    => $enable,
+      hasstatus => true,
+      require   => Package['iptables-persistent'],
+    }
+  }
+}

modules/firewall/manifests/linux/redhat.pp

@@ -0,0 +1,40 @@
+# = Class: firewall::linux::redhat
+#
+# Manages the `iptables` service on RedHat-alike systems.
+#
+# == Parameters:
+#
+# [*ensure*]
+#   Ensure parameter passed onto Service[] resources.
+#   Default: running
+#
+# [*enable*]
+#   Enable parameter passed onto Service[] resources.
+#   Default: true
+#
+class firewall::linux::redhat (
+  $ensure = running,
+  $enable = true
+) {
+
+  # RHEL 7 and later and Fedora 15 and later require the iptables-services
+  # package, which provides the /usr/libexec/iptables/iptables.init used by
+  # lib/puppet/util/firewall.rb.
+  if $::operatingsystem == RedHat and $::operatingsystemrelease >= 7 {
+    package { 'iptables-services':
+      ensure => present,
+    }
+  }
+
+  if ($::operatingsystem == 'Fedora' and (( $::operatingsystemrelease =~ /^\d+/ and $::operatingsystemrelease >= 15 ) or $::operatingsystemrelease == "Rawhide")) {
+    package { 'iptables-services':
+      ensure => present,
+    }
+  }
+
+  service { 'iptables':
+    ensure    => $ensure,
+    enable    => $enable,
+    hasstatus => true,
+  }
+}