AFW, Chef and Netfilter


Hi everyone,

Last friday I gave a talk at Security Bsides Delaware on building dynamic
firewalls with Chef and Netfilter. It’s essentially a presentation of the AFW
cookbook ( that we have been developing at
AWeber for the past 6 months.

The video is here:

I know from discussions on #chef that some folks are using similar
techniques in their own firewall cookbooks. I would be curious to hear about
what approach people are taking to configure them:

  • Do you use static rules ?
  • Do you use searches ?
  • How do you tell database-B to accept connection from API-A ?

I also had an interesting question from a post-talk discussion: would it be
possible to use Chef to configure a Cisco firewall ? I’m not sure how that
would work… maybe run chef-client on a VM that mimics the Cisco device, and
that pushes the rules to the appliance using tftp ? If you have
ideas/thoughts, I’m definitely interested!


Julien Vehent -