The way it works differs slightly from the usual puppet resource types. The state of a firewall can be seen as the sum of all the rules that compose it and the order in which they appear. We could define a firewall as one unique puppet resource, but this doesn't offer much flexibility. It's much more convenient to define each iptable rule as a separate resource. But then, ensuring they always get