diff --git a/firewall/manifests/init.pp b/firewall/manifests/init.pp
new file mode 100644
index 0000000..1086555
--- /dev/null
+++ b/firewall/manifests/init.pp
@@ -0,0 +1,80 @@
+
+# Enable firewall and install defined rules
+#
+# Rules are readed from variable $firewall_rules which needs to be an
+# array containing list of opened services in format:
+#
+#     <proto>/<port> [source]
+#
+# for example:
+#
+#     tcp/80 192.168.1.0/24
+#
+# If source is left out the service will be opened to all connecting
+# hosts.
+#
+class firewall {
+
+    case $operatingsystem {
+	centos,fedora: {
+	    include firewall::iptables
+	}
+	openbsd: {
+	    include firewall::pf
+	}
+	default: {
+	    fail("Firewall module not supported in ${operatingsystem}")
+	}
+    }
+
+}
+
+
+# Linux iptables handler.
+#
+class firewall::iptables {
+
+    package { [ "iptables" ]:
+	ensure => installed,
+    }
+
+    file { "/etc/sysconfig/iptables":
+	ensure  => present,
+	content => template("firewall/iptables.erb"),
+	mode    => 0600,
+	owner   => root,
+	group   => root,
+	require => Package["iptables"],
+	notify  => Service["iptables"],
+    }
+
+    service { "iptables":
+	ensure     => running,
+	enable     => true,
+	hasstatus  => true,
+	hasrestart => true,
+	require    => Package["iptables"],
+    }
+
+}
+
+
+# OpenBSD Packet Filter handler
+#
+class firewall::pf {
+
+    file { "/etc/pf.conf":
+	ensure  => present,
+	content => template("firewall/pf.conf.erb"),
+	mode    => 0600,
+	owner   => root,
+	group   => wheel,
+	notify  => Exec["pfctl -f /etc/pf.conf"],
+    }
+
+    exec { "pfctl -f /etc/pf.conf":
+	path        => "/bin:/usr/bin:/sbin:/usr/sbin",
+	refreshonly => true,
+    }
+
+}
diff --git a/firewall/templates/iptables.erb b/firewall/templates/iptables.erb
new file mode 100644
index 0000000..df2c8e7
--- /dev/null
+++ b/firewall/templates/iptables.erb
@@ -0,0 +1,17 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p ah -j ACCEPT
+-A INPUT -p esp -j ACCEPT
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp --icmp-type any -j ACCEPT
+<% firewall_rules.each do |rule| -%>
+<%   rule = /(tcp|udp)\/(\d+)( .+)?/.match(rule) -%>
+-A INPUT<% if rule[1] == "tcp" %> -m state --state NEW<% end %> -m <%= rule[1] %> -p <%= rule[1] %><% if rule[3] %> -s<%= rule[3] %><% end %> --dport <%= rule[2] %> -j ACCEPT
+<% end -%>
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
diff --git a/firewall/templates/pf.conf.erb b/firewall/templates/pf.conf.erb
new file mode 100644
index 0000000..cf59fa7
--- /dev/null
+++ b/firewall/templates/pf.conf.erb
@@ -0,0 +1,19 @@
+# options
+set block-policy return
+set skip on lo0
+
+# scrub
+scrub in all no-df
+
+# filter rules
+block all
+
+pass in quick inet proto icmp all
+pass in quick inet6 proto icmp6 all
+
+<% firewall_rules.each do |rule| -%>
+<%   rule = /(tcp|udp)\/(\d+)( .+)?/.match(rule) -%>
+pass in quick proto <%= rule[1] %><% if rule[3] %> from<%= rule[3] %><% end %> to port <%= rule[2] %>
+<% end -%>
+
+pass out quick all