0.01
Repository is archived
No commit activity in last 3 years
No release in over 3 years
Firewall Agent is a utility to simplify firewall configuration for clouds and clusters, especially when hosted with 3rd party VPS services.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

Runtime

>= 0.12.10
>= 1.1.2
 Project Readme

firewall-agent¶ ↑

Firewall Agent is a Ruby DSL for IPTables, designed to simplify firewall configuration for clouds and clusters, especially when hosted by 3rd party VPS services.

Key Features¶ ↑

  • Human readable/writable policy files

  • Dynamic policy updates

  • IPTables compatible

  • Written in Ruby

What Are Dynamic Policy Updates? IPTables uses a static configuration file to specify the ports, hosts and connections allowed through the firewall. Firewall-agent with Dynamic Policy Updates allows you to go beyond static files to update your policy file as needed, based on changing network conditions, dynamic host or service lists, or time-based criteria. The policy examples below explain some of these applications in more detail.

Getting Started¶ ↑

sudo gem install powcloud-firewall-agent
sudo firewall-agent bootstrap
sudo firewall-agent

The command ‘firewall-agent bootstrap’ creates a policy.rb file in the /etc/firewall-agent directory using the same ‘standard’ policy shown in this README. You can edit this file to your needs or create custom policy files. To pass a custom policy to the firewall-agent at startup, use this syntax:

sudo firewall-agent <path-to-my-policy-file.rb>

To Run as a Service (TBD)¶ ↑

service start firewall-agent

Writing a Policy File¶ ↑

Policy files are simple ruby files, and as such, can utilize the complete ruby syntax, requires, etc. Policy files are required to have a ‘policy’ block. To get started create a policy file using one of the templates below, then customize it to your needs.

Basic Policy¶ ↑

policy :standard_policy do
  deny_all             # deny all connections from all hosts
  allow_listen 'http'  # let HTTP connections in
  allow_established    # allow all established TCP connections
  allow_ping           # let any host ping this server
  allow_ssh            # allow SSH connections
end

Dynamic Policy¶ ↑

policy :dynamic_policy do
  deny_all
  allow_listen 'http', 'https'  # list multiple services or ports as needed
  # Firewall-agent will whitelist all slices in your account, enabling a Virtual Private Network for your slices
  update :each => 5.minutes do
    allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
  end
  allow_established
  allow_ping
  allow_ssh
end

Super Advanced Policy¶ ↑

require 'resolve'
policy :advanced_policy do
  deny_all
  allow_listen 'http', 'https'
  update :each => 5.minutes do
    allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
  end
  # 3 different schedules for different types of policy elements
  # this block will enable you to always access all services on
  # this host - even when your IP changes, via a Dynamic DNS service
  update :each => 10.minutes do
    allow_ips Resolv.getaddress('your-desktop.dyndns.org')
    allow_ips Resolv.getaddress('your-laptop.dyndns.org')
  end
  # disable printing using CUPS/IPP outside of business hours
  update :each => 1.minutes do
    now = Time.now
    allow_listen 631 unless now.hour < 8 || now.hour > 18
  end
  allow_established
  allow_ping
  allow_ssh
end

Extending Firewall Agent¶ ↑

Firewall-agent includes a sample extension for Slicehost VPS users. The extension uses the Slicehost API to get a list of all slices in your account, then updates the policy to allow access from any of these nodes - for all ports - on the firewall-agent host. You can use this as a model to create similar extensions for other VPS providers such as Linode, etc.

In addition, we believe there are many opportunities for extensions to integrate dynamic whitelist and blacklist services. Please share your creations with the community. Well documented and tested extensions will be added to the firewall-agent core - please contact us on GitHub.

Note on Patches/Pull Requests¶ ↑

  • Fork the project.

  • Make your feature addition or bug fix.

  • Add tests for it. This is important so I don’t break it in a future version unintentionally.

  • Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)

  • Send me a pull request. Bonus points for topic branches.

License¶ ↑

Licensed under the MIT license: www.opensource.org/licenses/mit-license.php

COPYRIGHT 2010 POWCLOUD INC.