Firewall Agent is a Ruby DSL for IPTables, designed to simplify firewall configuration for clouds and clusters, especially when hosted by 3rd party VPS services.

• Human readable/writable policy files

• Dynamic policy updates

• IPTables compatible

• Written in Ruby

What Are Dynamic Policy Updates? IPTables uses a static configuration file to specify the ports, hosts and connections allowed through the firewall. Firewall-agent with Dynamic Policy Updates allows you to go beyond static files to update your policy file as needed, based on changing network conditions, dynamic host or service lists, or time-based criteria. The policy examples below explain some of these applications in more detail.

sudo gem install powcloud-firewall-agent
sudo firewall-agent bootstrap
sudo firewall-agent

The command ‘firewall-agent bootstrap’ creates a policy.rb file in the /etc/firewall-agent directory using the same ‘standard’ policy shown in this README. You can edit this file to your needs or create custom policy files. To pass a custom policy to the firewall-agent at startup, use this syntax:

sudo firewall-agent <path-to-my-policy-file.rb>

service start firewall-agent

Policy files are simple ruby files, and as such, can utilize the complete ruby syntax, requires, etc. Policy files are required to have a ‘policy’ block. To get started create a policy file using one of the templates below, then customize it to your needs.

policy :standard_policy do
  deny_all             # deny all connections from all hosts
  allow_listen 'http'  # let HTTP connections in
  allow_established    # allow all established TCP connections
  allow_ping           # let any host ping this server
  allow_ssh            # allow SSH connections
end

policy :dynamic_policy do
  deny_all
  allow_listen 'http', 'https'  # list multiple services or ports as needed
  # Firewall-agent will whitelist all slices in your account, enabling a Virtual Private Network for your slices
  update :each => 5.minutes do
    allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
  end
  allow_established
  allow_ping
  allow_ssh
end

require 'resolve'
policy :advanced_policy do
  deny_all
  allow_listen 'http', 'https'
  update :each => 5.minutes do
    allow_ips slicehost_get_ips('https://8fff02f2853@api.slicehost.com/')
  end
  # 3 different schedules for different types of policy elements
  # this block will enable you to always access all services on
  # this host - even when your IP changes, via a Dynamic DNS service
  update :each => 10.minutes do
    allow_ips Resolv.getaddress('your-desktop.dyndns.org')
    allow_ips Resolv.getaddress('your-laptop.dyndns.org')
  end
  # disable printing using CUPS/IPP outside of business hours
  update :each => 1.minutes do
    now = Time.now
    allow_listen 631 unless now.hour < 8 || now.hour > 18
  end
  allow_established
  allow_ping
  allow_ssh
end

Firewall-agent includes a sample extension for Slicehost VPS users. The extension uses the Slicehost API to get a list of all slices in your account, then updates the policy to allow access from any of these nodes - for all ports - on the firewall-agent host. You can use this as a model to create similar extensions for other VPS providers such as Linode, etc.

In addition, we believe there are many opportunities for extensions to integrate dynamic whitelist and blacklist services. Please share your creations with the community. Well documented and tested extensions will be added to the firewall-agent core - please contact us on GitHub.

• Fork the project.

• Make your feature addition or bug fix.

• Add tests for it. This is important so I don’t break it in a future version unintentionally.

• Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)

• Send me a pull request. Bonus points for topic branches.

Licensed under the MIT license: www.opensource.org/licenses/mit-license.php

COPYRIGHT 2010 POWCLOUD INC.