firewall-agent
Firewall Agent
Firewall Agent is a utility to simplify firewall configuration for clouds and clusters, especially when hosted with 3rd party VPS services.
Key Features
- Human readable/writable policy files
- Dynamic policy updates
- IPTables compatible
- Written in Ruby
What Are Dynamic Policy Updates? IPTables uses a static config file to specify the allowed ports, hosts and connections allowed at any given time. Firewall-agent with Dynamic Policy Updates allows you to go beyond static files to update your policy file as needed, based on changing network conditions, dynmic host or service lists, or time-based criteria. Examples of several of the applications of this feature can be seen below in the policy examples.
Getting Started
sudo gem install powcloud-firewall-agent
sudo firewall-agent bootstrap
sudo firewall-agent
To Run as a Service (TBD)
service start firewall-agent
Writing a Policy File
Policy files are simple ruby files, and as such, can have any ruby syntax necessary. Policy files are required to have a ‘policy’ block. To get started create a policy file using one of the templates below, then cusotmize it to your needs.
The command ‘firewall-agent bootstrap’ creates a policy.rb file in the /etc/firewall-agent directory using the same ‘standard’ policy shown in this README.
Basic Policy
policy :standard_policy do
deny_all # deny all connections from all hosts
allow_listen 'http' # let HTTP connections in
allow_established # allow all established TCP connections
allow_ping # let any host ping this server
allow_ssh # allow SSH connections
end
Dynamic Policy
policy :dynamic_policy do
deny_all
allow_listen 'http', 'https' # list multiple services or ports as needed
# Firewall-agent will whitelist all slices in your account, enabling a Virtual Private Network for your slices
update :each => 5.minutes do
allow_ips slicehost_get_ips('https://[email protected]/')
end
allow_established
allow_ping
allow_ssh
end
Super Advanced Policy
require 'resolve'
policy :advanced_policy do
deny_all
allow_listen 'http', 'https'
update :each => 5.minutes do
allow_ips slicehost_get_ips('https://[email protected]/')
end
# 3 different schedules for different types of policy elememnts
# this block will enable you to always access all services on
# this host - even when your IP changes, via a Dynamic DNS service
update :each => 10.minutes do
allow_ips Resolv.getaddress('your-desktop.dyndns.org')
allow_ips Resolv.getaddress('your-laptop.dyndns.org')
end
# disable printing using CUPS/IPP outside of business hours
update :each => 1.minutes do
now = Time.now
allow_listen 631 unless now.hour < 8 || now.hour > 18
end
allow_established
allow_ping
allow_ssh
end
Extending Firewall Agent
Firewall-agent includes a simple Slicehost extension which uses the Slicehost API to get a list of all slices in your account, then updates the policy to allow access from any of these nodes - for all ports - on the firewall-agent host. You can use this as a model to create similar extensions for other VPS provides such as Linode, etc.
In addition, we believe there are lots of opportunities for extensions to integrate dynamic whitelist and blacklist services. Please share your creations with the community. Well documented and tested extensios will be added to the firewall-agent - please contact us on GitHub.
Note on Patches/Pull Requests
-
Fork the project.
-
Make your feature addition or bug fix.
-
Add tests for it. This is important so I don’t break it in a future version unintentionally.
-
Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
-
Send me a pull request. Bonus points for topic branches.
Copyright
Copyright © 2010 Powcloud Inc. See LICENSE for details.