You may want to start firewalling early a machine that is going to be given control over an entire network. OTOH, an enabled firewall may hamper experiments.

Details of firewalling the Puppetmaster are outside the scope of this document. I use Shorewall, and open ports 443, 8140, 8081 and 22 to traffic from selected hosts and ranges.