I am using the Puppetlabs firewall module to manage our firewall. All servers get our core ruleset: *modules/mycompany/manifests/firewall/pre.pp:* class mycompany::firewall::pre { Firewall { require => undef, } firewall { '000 accept all icmp': proto => 'icmp', action => 'accept', } firewall { '001 accept all to lo interface': proto => 'all', iniface => 'lo', action => 'accept', } firewall { '002 accept related established rules': proto => 'all', state => ['RELATED', 'ESTABLISHED'], action => 'accept', } } *modules/**mycompany/manifests/firewall/core.pp:* class mycompany::firewall::core { firewall { '100 allow SSH': proto => 'tcp', port => [22], action => 'accept', } firewall { '101 allow salt-minion communication': proto => 'tcp', port => [4505,4506,4510,4511], action => 'accept', } firewall { '102 allow DNS UDP': proto => 'udp', port => [53], action => 'accept', } firewall { '103 allow DNS TCP': proto => 'tcp', port => [53], action => 'accept', } firewall { '104 allow NTP traffic': proto => 'udp', port => [123], action => 'accept', } } *modules/* *mycompany/manifests/firewall/post.pp:* class mycompany::firewall::post { firewall { '999 drop all': proto => 'all', action => 'drop', before => undef, } } We also have some rules that are added based on server roles dynamically via hiera: *modules/* *mycompany/manifests/firewall/puppet.pp:*class mycompany::firewall::puppet { firewall { '105 allow puppet communication': proto => 'tcp', port => [8140], action => 'accept', } } *modules/* *mycompany/manifests/firewall/database.pp:*class mycompany::firewall::database { firewall { '106 allow Percona/MySQL communication': proto => 'tcp', port => [3306], action => 'accept', } } This worked perfectly when I spun up a server with no role (and therefore no extra rules. However when I spun up servers with the 'puppet' & 'database' roles (and therefore the extra rules) it hung at: *Notice: /Stage[main]/Mycompany/Firewall[9001 fe701ab7ca74bd49f13b9f0ab39f3254]/ensure: removed* My SSH session eventually disconnects with a broken pipe. The puppet server I spun up yesterday was available when I got into the office this morning so it seems they do eventually come back but it takes some time. Is there any reason I am getting cut of like that and is there any way to avoid it? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5dc99077-71ca-472a-919b-cbb708f6bd9d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.