Forge Home


Configure Red Hat Enterprise Linux specific files and services.


758 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.18 (latest)
  • 1.0.17
  • 1.0.16
  • 1.0.15
  • 1.0.14
  • 1.0.13
  • 1.0.12
  • 1.0.11
  • 1.0.10
  • 1.0.9
  • 1.0.8
  • 1.0.7
  • 1.0.6
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
  • 0.2.3
  • 0.2.2
  • 0.2.1
released Sep 14th 2023
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >=4.0.0 <9.0.0
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'thias-rhel', '1.0.18'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add thias-rhel
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install thias-rhel --version 1.0.18

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



thias/rhel — version 1.0.18 Sep 14th 2023



Configure Red Hat Enterprise Linux specific files and services.

  • rhel::firewall : Class to enable and configure iptables/ip6tables.



  • rhel_kernelrelease: RHEL kernel release, i.e. '957' for 3.10.0-957.5.1.el7
  • rhelX_kernelrelease: RHEL version X kernel release, useful for inventorying.



The firewall classes will provide you with the same configuration as an original RHEL installation, with ICMP and lo traffic allowed, stateful connections allowed, and all the rest rejected (not dropped). Note that ssh is not open by default by this module.

You need this in your site.pp :

resources { 'firewall': purge => true }
Firewall {
  before  => Class['::rhel::firewall::post'],
  require => Class['::rhel::firewall::pre'],

Then also this (it includes the main firewall modue and both pre and post firewall classes from this module :

class { '::rhel::firewall': }

Though you can also use hiera to achieve the same :

  - '::rhel::firewall'

Note that even though these rules are initially RHEL specific, because they replicate the original RHEL set of rules, they should work just fine on any other GNU/Linux distribution.

The original REJECT icmp messages of 'prohibited' will be replaced with the more obvious 'unreachable' (to get 'connection refused' on the clients), but you can get back the RHEL defaults with :

rhel::firewall::ipv4_reject_with: 'icmp-host-prohibited'
rhel::firewall::ipv6_reject_with: 'icmp6-adm-prohibited'

Port knocking with 3 ports is available to protect any tcp port(s). Hiera example :

    port1: '1234'
    port2: '2345'
    port3: '3456'
      - '22'

The original firewall module doesn't support passing an array of IP addresses to the $source parameter. To overcome this limitation, the rhel::firewall::proto_dport_source definition can help :

$admin_networks = [ '', '' ]
$proto_dport_admin_networks = prefix($admin_networks, 'tcp_8091_')
rhel::firewall::proto_dport_source { $proto_dport_admin_networks: }

The above will open up port 8091/tcp from a network and an address. The syntax for the $title is <proto>_<dport>_<address> where <proto> can be all and dport can be empty to also mean all, or multiple ports separated by commas.

Masquerade class, one liner to enable masquerading of all 3 RFC1918 networks :

class { '::rhel::firewall::masquerade': outiface => 'br0' }

Set `$return_local` to `true` to exclude RFC1918 destinations from masquarading,
required with IPSec LAN to LAN for instance.

NOTRACK definition, to disable connection tracking for certain ports :

rhel::firewall::notrack { '100 notrack http': iface => 'eth0', port => '80' }
rhel::firewall::notrack { '110 notrack lo': iface => 'lo' }

Proxy network, in addition of accept rules, will require an extra setup, e.g.

rhel::firewall::notrack { '100 notrack http':
  iface   => 'eth0',
  port    => '80'
rhel::firewall::notrack { '110 notrack http':
  iface   => 'eth1',
  port    => '80',
  outbound => true,

For rules source matching private IP address space, the rhel::firewall::privatesrc definition will automatically create the 3 required IPv4 rules and the required IPv6 rule (if not disabled) :

rhel::firewall::privatesrc { '100 rsync':
  rules => {
    action => 'accept',
    proto  => 'tcp',
    dport  => [ '873' ],


This is a class which can be safely included on all nodes, and will tweak only virtual nodes based on the is_virtual fact.

class { '::rhel::virtual': }

Features include :

  • Making sure acpid is installed and running for virsh shutdown to work from the hypervisor.

Yum Update from Cron

Simple shell script and cron job to automatically run yum update at 10:05 on weekdays (+ a 3-10min wait time to avoid mass parallel downloads) :

include '::rhel::yum_cron'

Many parameters can be changed. Example to have a weekly run on Monday at 6AM completely silent (no cron output email sent out) :

class { '::rhel::yum_cron':
  cron_command => '/usr/local/sbin/yum-cron &>/dev/null',
  cron_hour    => '06',
  cron_minute  => '00',
  cron_weekday => '1',

Network IP Address Alias

Manage network interfaces IP address aliases :

rhel::net::ifalias { 'eth0:0':
  ipaddr => '', prefix => '32',
rhel::net::ifalias { 'eth0:1':
  ensure => absent,


Enable or disable the EPEL repository for Red Hat Enterprise Linux :

include '::rhel::epel'

To remove it :

class { '::rhel::epel': ensure => absent }


Manage systemd resources (initially services). The common rhel::systemd class is automatically included and will execute systemctl daemon-reload when required. Example :

rhel::systemd::service { 'mydaemon':
  source => "puppet:///modules/${module_name}/mydaemon.service",


Monitor file structure and content changes using AIDE. Use the rhel::aide definition with a descriptive title and an array of valid aide.conf lines for the $lines parameter. Example :

rhel::aide { 'www':
  cron_mailto => '',
  cron_minute => '*/10',
  lines       => [
    # LSPP same as normal, but excluding one extra hash (smaller db)
    '/var/www/htpasswd        LSPP',
    '/var/www/ LSPP',
    # These are not relevant

The default cron job is run hourly, but most cron parameters may be overridden. See the aide.conf(5) manual page and the example /etc/aide.conf file for help on the lines syntax.