Puppet: sharing info between classes

This is a scoping issue. From the language tutorial:

Classes, components, and nodes introduce a new scope. Puppet is currently dynamically scoped, which means that scope hierarchies are created based on where the code is evaluated instead of where the code is defined.

So $myfwrules is scoped into the class it's defined in. In your case you're scoping it into class webappfoo, where it has no knowledge of any previously defined $myfwrules. You can bodge around this but a better approach might be to use definitions. Something like this (untested, YMMV, etc):

class iptables {
  define rule($rule) {
    # $title is the 'name' of the resource, like ntpd in service { "ntpd": }
    exec { "rule-$title":
      command => "/sbin/iptables $rule"
    }
  }
}

class webappfoo {
  include iptables
  iptables::rule { "webappfoo":
    rule => "-A INPUT -p tcp --state NEW -m tcp --dport 80 -j ACCEPT"
  }
}

class postfix {
  include iptables
  iptables::rule { "postfix":
    rule => "-A INPUT -p tcp --state NEW -m tcp --dport 25 -j ACCEPT"
  }
}

node foo {
  include webappfoo
  include postfix
}

This way you have a reusable way to add rules into your classes without needing to define variables and worry about scope. You'll end up with a bunch of Exec resources (Exec["rule-webappfoo"], Exec["rule-postfix"]) representing node foo's ruleset.

Also see the ready-baked iptables modules.

Edit: this is just an example to demonstrate how definitions might be used. It's not meant to be problem-free solution. For a start, there are issues around the order in which rules might be applied (could use before/after, perhaps), and the efficiency of calling /sbin/iptables every time.

I decided to use templates and multiple concatenation to build iptables rules. e.g.

define iptables::rules {
  file { "$local_rules_file":
    ensure  => "file",
    content => template($iptables_start, "iptables/iptables.$name.erb", $iptables_stop)
  }
}

It's not pretty, and it requires a dedicated iptables.hostname.erb file for each computer. But it's stupid simple.

Also read up on Puppet's store configs and multiple file concatenation.

I haven't touched puppet for some time, so my syntax may be a bit rusty. Should "+>" be "+="? Anyway, have you tried this?

class webappfoo {
    include apache
}
class webappfoo::myfwrules {
    $webappfoo_myfwrules = [ "-A INPUT -p tcp --state NEW -m tcp --dport 80 -j ACCEPT" ]
}
node webappserver {
    include iptables

    $webapplist = ["webappfoo", "webappbar" ]
    $webappserver_myfwrules => $iptables::iptables_myfwrules

    $webappserver_myfwrules += $webapplist ? {
         webappfoo => $webappfoo::myfwrules::webappfoo_myfwrules,
         webappbar => $webappbar::myfwrules::webappfoo_myfwrules,
    }
}

This iptables module seems to be the only way to do what I want; it's basically a script which takes files in an iptables.d/ directory and builds /etc/sysconfig/iptables from it. This is probably what I'm going to use; but I feel that this kind of pattern should be possible in Puppet itself.