5.2.4. HOWTO Fully Disable the System Firewall

Though we hope that you never actually want to do this, there may be situations where you want to use puppet to fully disable the system firewall.

When iptables was the only option, this was very straightforward. The introduction of firewalld has added a bit of complexity due to the preservation of backwards compatibility with calls into the iptables::rules::* defined types.

To fully disable all firewalls on the system (not just management of the firewalls) set the following via Hiera:

iptables::enable: false
firewalld::service_enable: false
firewalld::service_ensure: 'stopped'

As per usual, once this is set, Puppet will ensure that the firewall is fully disabled until the settings are reversed.

Important

Just setting firewalld::service_enable: false will likely cause your system to fall back to using iptables.