The basic approach is that including base::firewall to a host in site.pp enables a set of basic firewall rules which drop incoming connections by default. In addition the puppet classes of the services running on the host then need to whitelist their traffic.
Many services can be allowed using the ferm::service class:
https://doc.wikimedia.org/puppet/classes/ferm.html#M000641
More complex rules can be be implemented using the ferm::rule class.
First the traffic patterns/ports used by these classes need to be identified and ferm rules added to them:
mediawiki::canary_appserver
mediawiki::appserver
mediawiki::appserver::api
mediawiki::appserver::canary_api
Oce the ferm rules have been added, base::firewall can be included to the hosts which have ferm rules for all their services.