diff --git a/apache/templates/site.https.conf.erb b/apache/templates/site.https.conf.erb
index 8ba1343..30e9982 100644
--- a/apache/templates/site.https.conf.erb
+++ b/apache/templates/site.https.conf.erb
@@ -30,14 +30,14 @@ SSLCipherSuite RC4-SHA:HIGH:!ADH
 # the certificate is encrypted, then you will be prompted for a
 # pass phrase.  Note that a kill -HUP will prompt again.  A new
 # certificate can be generated using the genkey(1) command.
-SSLCertificateFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.crt
+SSLCertificateFile <%= @apache_ssldir %>/certs/<%= site_fqdn %>.crt
 
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile <%= apache_ssldir %>/private/<%= site_fqdn %>.key
+SSLCertificateKeyFile <%= @apache_ssldir %>/private/<%= site_fqdn %>.key
 
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@@ -47,7 +47,7 @@ SSLCertificateKeyFile <%= apache_ssldir %>/private/<%= site_fqdn %>.key
 #   when the CA certificates are directly appended to the server
 #   certificate for convinience.
 <% if ssl_chain != "" -%>
-SSLCertificateChainFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt
+SSLCertificateChainFile <%= @apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt
 <% end -%>
 
 #   Certificate Authority (CA):
diff --git a/firewall/manifests/init.pp b/firewall/manifests/init.pp
index 4b4f5f3..866465d 100644
--- a/firewall/manifests/init.pp
+++ b/firewall/manifests/init.pp
@@ -17,6 +17,11 @@
 #
 #     $firewall_custom = [ "pass in quick carp", ]
 #
+# Loading of extra modules is supported on centos. For example FTP
+# support for iptables:
+#
+#     $firewall_modules = [ "nf_conntrack_ftp", ]
+
 class firewall {
 
     if ! $firewall_custom {
@@ -25,6 +30,9 @@ class firewall {
     if ! $firewall_rules {
         $firewall_rules = []
     }
+    if ! $firewall_modules {
+        $firewall_modules = []
+    }
 
     case $operatingsystem {
         centos,debian,fedora,ubuntu: {
@@ -116,6 +124,14 @@ class firewall::common::iptables {
                 hasrestart => true,
                 require    => Package["iptables"],
             }
+            if $firewall_modules {
+                $firewall_modules_str = inline_template('\'"<%= @firewall_modules.join(" ") -%>"\'')
+                augeas { "iptables-config":
+                    context => "/files/etc/sysconfig/iptables-config",
+                    changes => [ "set IPTABLES_MODULES ${firewall_modules_str}" ],
+                    notify  => Service["iptables"],
+                }
+            }
         }
     }
 
diff --git a/firewall/templates/ip6tables.erb b/firewall/templates/ip6tables.erb
index 0e30dfb..321a3dd 100644
--- a/firewall/templates/ip6tables.erb
+++ b/firewall/templates/ip6tables.erb
@@ -14,7 +14,7 @@
 <% end -%>
 -A INPUT -p ipv6-icmp -j ACCEPT
 <%
-  firewall_rules.each do |rule|
+  @firewall_rules.each do |rule|
     rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
     if not rule[3] or IPAddr.new(rule[3].strip()).ipv6?
 -%>
@@ -22,7 +22,7 @@
 <%
     end
   end
-  firewall_custom.each do |rule|
+  @firewall_custom.each do |rule|
 -%>
 <%= rule %>
 <% end -%>
diff --git a/firewall/templates/iptables.erb b/firewall/templates/iptables.erb
index d5f3cb8..9f7a267 100644
--- a/firewall/templates/iptables.erb
+++ b/firewall/templates/iptables.erb
@@ -8,7 +8,7 @@
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp --icmp-type any -j ACCEPT
 <%
-  firewall_rules.each do |rule|
+  @firewall_rules.each do |rule|
     rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule)
     if not rule[3] or IPAddr.new(rule[3].strip()).ipv4?
 -%>
@@ -16,7 +16,7 @@
 <%
     end
   end
-  firewall_custom.each do |rule|
+  @firewall_custom.each do |rule|
 -%>
 <%= rule %>
 <% end -%>
diff --git a/firewall/templates/pf.conf.erb b/firewall/templates/pf.conf.erb
index 073ef16..32eac79 100644
--- a/firewall/templates/pf.conf.erb
+++ b/firewall/templates/pf.conf.erb
@@ -8,10 +8,10 @@ pass out all
 pass in quick inet proto icmp all
 pass in quick inet6 proto icmp6 all
 
-<% firewall_rules.each do |rule| -%>
+<% @firewall_rules.each do |rule| -%>
 <%   rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule) -%>
 pass in quick proto <%= rule[1] %><% if rule[3] %> from<%= rule[3] %><% end %> to port <%= rule[2] %>
 <% end -%>
-<% firewall_custom.each do |rule| -%>
+<% @firewall_custom.each do |rule| -%>
 <%= rule %>
 <% end -%>