Hi everyone,
v0.0.5 of the Advanced FireWall (AFW) was released today with a bunch of
bugfixes and improvements.
- c2bf643 - Bump to version 0.0.5
- f905a13 - Typo/Indent fixes
- f607a16 - Clean up AFW node attributes at the end of Chef Run
- 81dd201 - Skip rules that fail validation
- 484f07e - Resolve FQDN into IPs before writing the rules
- bd603ff - Add OSPF support
- 72c4f27 - Fix missing node parameter for creation of predefined rules, by
Julien Vehent - 9c6af65 - Do not use the default network interface by default, simply do
not specify one - 0a0d682 - Add init & upstart scripts
- ed12e60 - Check rule interface with nil? in addition to empty?; look for
node ip under ['ipaddress'] in addition to ['network']['lanip'], by
elliotkendallUCSF - 099185c - remove metadata.json file .. it's version is not up to date, by
Jeremiah Snapp
More details here:
Repository on Github: GitHub - jvehent/AFW: Advanced FireWall cookbook for Chef and Linux that uses Iptables and to dynamically configure inbound and outbound rules on each node.
Community cookbook: http://community.opscode.com/cookbooks/afw
Happy holidays !
- Julien Vehent
On 2012-11-13 18:23, Julien Vehent wrote:
Hi everyone,
Last friday I gave a talk at Security Bsides Delaware on building dynamic
firewalls with Chef and Netfilter. It's essentially a presentation of the
AFW
cookbook (GitHub - jvehent/AFW: Advanced FireWall cookbook for Chef and Linux that uses Iptables and to dynamically configure inbound and outbound rules on each node.) that we have been developing at
AWeber for the past 6 months.The video is here: AFW - Firewalling dynamic infrastructures with Chef and Netfilter - Julien Vehent on Vimeo
I know from discussions on Chef Infra (archive) that some folks are using similar
techniques
in their own firewall cookbooks. I would be curious to hear about what
approach people are taking to configure them:
- Do you use static rules ?
- Do you use searches ?
- How do you tell database-B to accept connection from API-A ?
I also had an interesting question from a post-talk discussion: would it
be
possible to use Chef to configure a Cisco firewall ? I'm not sure how that
would work... maybe run chef-client on a VM that mimics the Cisco device,
and
that pushes the rules to the appliance using tftp ? If you have
ideas/thoughts, I'm definitely interested!Cheers,
Julien