v0.0.5 of the Advanced FireWall (AFW) was released today with a bunch of
bugfixes and improvements.
- c2bf643 - Bump to version 0.0.5
- f905a13 - Typo/Indent fixes
- f607a16 - Clean up AFW node attributes at the end of Chef Run
- 81dd201 - Skip rules that fail validation
- 484f07e - Resolve FQDN into IPs before writing the rules
- bd603ff - Add OSPF support
- 72c4f27 - Fix missing node parameter for creation of predefined rules, by
- 9c6af65 - Do not use the default network interface by default, simply do
not specify one
- 0a0d682 - Add init & upstart scripts
- ed12e60 - Check rule interface with nil? in addition to empty?; look for
node ip under [‘ipaddress’] in addition to [‘network’][‘lanip’], by
- 099185c - remove metadata.json file … it’s version is not up to date, by
More details here:
Repository on Github: https://github.com/jvehent/AFW/
Community cookbook: http://community.opscode.com/cookbooks/afw
Happy holidays !
- Julien Vehent
On 2012-11-13 18:23, Julien Vehent wrote:
Last friday I gave a talk at Security Bsides Delaware on building dynamic
firewalls with Chef and Netfilter. It’s essentially a presentation of the
cookbook (https://github.com/jvehent/AFW/) that we have been developing at
AWeber for the past 6 months.
The video is here: https://vimeo.com/53423330
I know from discussions on #chef that some folks are using similar
in their own firewall cookbooks. I would be curious to hear about what
approach people are taking to configure them:
- Do you use static rules ?
- Do you use searches ?
- How do you tell database-B to accept connection from API-A ?
I also had an interesting question from a post-talk discussion: would it
possible to use Chef to configure a Cisco firewall ? I’m not sure how that
would work… maybe run chef-client on a VM that mimics the Cisco device,
that pushes the rules to the appliance using tftp ? If you have
ideas/thoughts, I’m definitely interested!